Checkmarx Warns of Malicious Jenkins Plugin in Supply Chain Attack
AI-generated from multiple sources. Verify before acting on this reporting.
JERUSALEM — Additional reports have confirmed the scope of the supply chain attack targeting Checkmarx's Jenkins AST plugin. The cybersecurity firm has received further corroborating information regarding the distribution of the tampered software version across global developer networks. This new data reinforces the initial warning issued on Monday about the malicious plugin published to the Jenkins Marketplace. The incident remains linked to the TeamPCP hacker gang, which previously infiltrated Checkmarx systems in March 2025. As the investigation continues, Checkmarx is working to identify all affected users and mitigate the impact of the compromised repository. The firm has not yet specified the exact number of additional reports received or the specific regions impacted by the latest findings. Security experts recommend that all Jenkins users immediately audit their environments for the malicious plugin version and follow Checkmarx's remediation guidance. The company is expected to release further details as more information becomes available.
JERUSALEM — Checkmarx warned users on Monday that a malicious version of its Jenkins AST plugin was published to the Jenkins Marketplace as part of an ongoing supply chain attack.
The cybersecurity firm disclosed the compromise of its software repository, which allowed attackers to distribute a tampered version of the plugin to developers globally. The incident marks a resurgence in a campaign that began in March 2025, when the TeamPCP hacker gang first infiltrated Checkmarx systems.
Checkmarx stated that the malicious artifact was uploaded to the public Jenkins Marketplace, a central hub where developers download build automation tools. The company urged all users to immediately stop using the affected plugin and to review their systems for signs of unauthorized access. The firm is working to remove the compromised version from the marketplace and restore integrity to its software distribution channels.
The attack represents a continuation of a long-term intrusion. TeamPCP, a group known for targeting software supply chains, initially gained access to Checkmarx infrastructure in early 2025. While the company addressed the initial breach, attackers reportedly re-established access months later, leading to the release of the new malicious code.
Lapsus$, an extortion group frequently associated with TeamPCP operations, has been linked to the release of stolen data from the Checkmarx network. The group has threatened to publish sensitive information unless demands are met, a tactic common in recent supply chain compromises. Checkmarx did not specify whether the malicious plugin contained backdoors or other malicious payloads, but the company emphasized the risk of code execution within affected build pipelines.
The Jenkins Marketplace serves as a critical infrastructure for software development, hosting thousands of plugins used by enterprises worldwide. A compromised plugin can propagate malware across multiple organizations, potentially affecting supply chains far beyond the initial target. Security experts note that supply chain attacks have become increasingly sophisticated, with attackers focusing on trusted software repositories to maximize impact.
Checkmarx has notified affected customers and is cooperating with law enforcement agencies to investigate the intrusion. The company has not confirmed whether any customer data was exfiltrated through the malicious plugin, though the potential for widespread compromise remains a concern.
The incident highlights the persistent threat posed by organized hacker groups targeting software vendors. As companies rely more heavily on third-party tools, the security of software supply chains has become a critical vulnerability. Checkmarx’s warning serves as a reminder of the ongoing risks in the global software ecosystem.
Questions remain about the full extent of the compromise and whether other Checkmarx products were affected. The company has not provided a timeline for a complete resolution, and the Jenkins Marketplace has not confirmed if the malicious plugin has been fully removed. As the investigation continues, developers are advised to monitor their systems for anomalies and update their security protocols.