Back

Checkmarx Jenkins Plugin Compromised in TeamPCP Supply Chain Attack

Severity: High (Score: 72.0)

Sources: Checkmarx, Theregister, socradar.io

Summary

Checkmarx reported a malicious version of its Jenkins AST plugin was uploaded to the Jenkins Marketplace on May 9, 2026. Users are advised to only use version 2.0.13-829.vc72453fa_1c16, published on December 17, 2025. The compromised plugin could allow attackers access to source code and sensitive information in CI pipelines. This incident marks the third compromise of Checkmarx's software by the TeamPCP group within a few months. The malware, named Shail-Hulud, has previously affected thousands of repositories and npm packages. The unauthorized upload was detected by security engineer Adnan Khan. Checkmarx is actively working on a new plugin version to address this issue. The plugin remains available for installation despite the ongoing threat. Key Points: • A malicious version of Checkmarx's Jenkins AST plugin was uploaded to the Jenkins Marketplace. • Users must ensure they are using the specific safe version 2.0.13-829.vc72453fa_1c16 from December 2025. • This incident is part of a series of attacks by the TeamPCP group targeting Checkmarx's software.

Key Entities

  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • TeamPCP Supply Chain Attacks (campaign)
  • Checkmarx (company)
  • SAP (company)
  • Shai-hulud (malware)
  • T1195 - Supply Chain Compromise (mitre_attack)
  • GitHub (platform)
  • Jenkins (platform)
  • KICS (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed