{"id":7079,"date":"2026-05-12T02:17:31","date_gmt":"2026-05-12T02:17:31","guid":{"rendered":"https:\/\/delimiter.online\/blog\/checkmarx-confirms-new-jenkins-plugin-compromise\/"},"modified":"2026-05-12T02:17:31","modified_gmt":"2026-05-12T02:17:31","slug":"checkmarx-confirms-new-jenkins-plugin-compromise","status":"publish","type":"post","link":"https:\/\/delimiter.online\/blog\/checkmarx-confirms-new-jenkins-plugin-compromise\/","title":{"rendered":"Checkmarx Confirms New Jenkins Plugin Compromise"},"content":{"rendered":"

Checkmarx<\/a> has confirmed that a threat actor published a compromised version of its Jenkins<\/a> AST Plugin<\/a> to the official Jenkins Marketplace, marking the second such supply chain incident involving the company in recent weeks.<\/p>\n

In a statement released over the weekend, the cybersecurity firm warned users of the Checkmarx Jenkins AST plugin to verify they are using version 2.0.13-829.vc72453fa_1c16, which was published on December 17, 2025, or an earlier legitimate release. The modified plugin was uploaded under the name “TeamPCP,” raising immediate concerns about unauthorized access to software supply chains.<\/p>\n

Background of the Breach<\/h2>\n

The incident follows a previous attack in late November 2025, when Checkmarx disclosed that a malicious actor had compromised its KICS (Checkmarx Infrastructure as Code Scanning) plugin on the Jenkins Marketplace. In that earlier case, the threat actor leveraged a typosquatting technique to trick users into downloading a fraudulent package.<\/p>\n

Checkmarx has not provided specifics on how the TeamPCP actor gained the ability to publish a modified plugin. However, the company has advised all users to audit their current installations and immediately update to the confirmed safe version if they are running any other build.<\/p>\n

Implications for Jenkins Users<\/h2>\n

Jenkins is an open source automation server widely used by software development teams for continuous integration and delivery. Plugin compromises pose a significant risk because they can inject malicious code directly into build pipelines, potentially exfiltrating credentials, source code, or deployment secrets.<\/p>\n

Security researchers tracking the incident noted that the TeamPCP variant appeared to contain modified binaries and altered metadata, though Checkmarx has not fully disclosed the nature of the payload. The company stated it is working with Jenkins administrators to remove the rogue plugin from the marketplace.<\/p>\n

Supply Chain Attack Patterns<\/h4>\n

Supply chain attacks targeting CI\/CD tools have increased in frequency, as threat actors seek to compromise trusted distribution channels. The Checkmarx incidents highlight vulnerabilities in plugin publishing systems, where verification processes may not always catch impersonation or credential theft.<\/p>\n

Industry observers pointed out that while Checkmarx has been transparent about both incidents, the repeated compromise of its plugin ecosystem raises questions about the security of third party integrations in the Jenkins platform. The Jenkins project has not issued a separate advisory as of publication.<\/p>\n

Next Steps for Affected Organizations<\/h2>\n

Checkmarx has urged users to run a full security audit of their Jenkins environments and review any recent builds processed by the plugin. The company also recommended that organizations rotate any credentials or API keys that may have been exposed during the window of compromise.<\/p>\n

As of writing, Checkmarx has released updated guidance on its official documentation portal. The company has not announced a timeline for a forensic report but stated that it will share additional findings as they become available. Security teams are advised to monitor Checkmarx and Jenkins security advisories for further updates.<\/p>\n

Source: Delimiter Online<\/p>\n","protected":false},"excerpt":{"rendered":"

Checkmarx has confirmed that a threat actor published a compromised version of its Jenkins AST Plugin to the official Jenkins Marketplace, marking the second such supply chain incident involving the company in recent weeks. In a statement released over the weekend, the cybersecurity firm warned users of the Checkmarx Jenkins AST plugin to verify they […]<\/p>\n","protected":false},"author":1,"featured_media":7080,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[505],"tags":[],"class_list":["post-7079","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/7079","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/comments?post=7079"}],"version-history":[{"count":0,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/7079\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media\/7080"}],"wp:attachment":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media?parent=7079"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/categories?post=7079"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/tags?post=7079"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}