Checkmarx Jenkins AST Plugin Compromised in Supply Chain Attack
A malicious version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace as part of a supply chain attack. The compromised plugin enables integration with the Checkmarx One platform for source code scanning in Jenkins pipelines. Checkmarx confirmed the incident and advised users to run version 2. 0. 13-829. vc72453fa_1c16 or later, with newer patched versions released subsequently. The attack is linked to the Trivy supply chain compromise and unauthorized access to Checkmarx's repositories by the TeamPCP hacker group, followed by data leaks from the Lapsus$ extortion group. Checkmarx is actively addressing the issue by releasing fixed plugin versions. No detailed technical exploitation methods or impacts beyond the supply chain compromise have been disclosed.
AI Analysis
Technical Summary
The Checkmarx Jenkins AST plugin was compromised in a supply chain attack when a malicious version was published to the Jenkins Marketplace. This plugin integrates Checkmarx One platform scanning capabilities into Jenkins pipelines. The compromise stems from unauthorized access to Checkmarx's repositories, linked to the Trivy supply chain attack and subsequent data leaks by threat actors TeamPCP and Lapsus$. Checkmarx has released patched plugin versions starting with 2.0.13-829.vc72453fa_1c16 and later updates to remediate the issue. The company has not disclosed the exact method of malicious plugin publication but is actively mitigating the threat.
Potential Impact
The supply chain compromise allowed attackers to publish a malicious version of the Jenkins AST plugin, potentially exposing users who installed the compromised plugin to risks associated with malicious code execution within their CI/CD pipelines. The incident also involved unauthorized access to Checkmarx's source code repositories and data leaks. However, no confirmed exploitation in the wild has been reported. The impact is primarily on the integrity and trustworthiness of the plugin distributed via the official Jenkins Marketplace.
Mitigation Recommendations
Users should ensure they are running version 2.0.13-829.vc72453fa_1c16 or later of the Checkmarx Jenkins AST plugin. Checkmarx has released newer patched versions, including 2.0.13-848.v76e89de8a_053, available on GitHub and the Jenkins Marketplace. Users should update to the latest version immediately to mitigate risks from the compromised plugin. Checkmarx is actively managing the remediation. No additional mitigation steps have been advised by the vendor at this time.
Checkmarx Jenkins AST Plugin Compromised in Supply Chain Attack
Description
A malicious version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace as part of a supply chain attack. The compromised plugin enables integration with the Checkmarx One platform for source code scanning in Jenkins pipelines. Checkmarx confirmed the incident and advised users to run version 2. 0. 13-829. vc72453fa_1c16 or later, with newer patched versions released subsequently. The attack is linked to the Trivy supply chain compromise and unauthorized access to Checkmarx's repositories by the TeamPCP hacker group, followed by data leaks from the Lapsus$ extortion group. Checkmarx is actively addressing the issue by releasing fixed plugin versions. No detailed technical exploitation methods or impacts beyond the supply chain compromise have been disclosed.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Checkmarx Jenkins AST plugin was compromised in a supply chain attack when a malicious version was published to the Jenkins Marketplace. This plugin integrates Checkmarx One platform scanning capabilities into Jenkins pipelines. The compromise stems from unauthorized access to Checkmarx's repositories, linked to the Trivy supply chain attack and subsequent data leaks by threat actors TeamPCP and Lapsus$. Checkmarx has released patched plugin versions starting with 2.0.13-829.vc72453fa_1c16 and later updates to remediate the issue. The company has not disclosed the exact method of malicious plugin publication but is actively mitigating the threat.
Potential Impact
The supply chain compromise allowed attackers to publish a malicious version of the Jenkins AST plugin, potentially exposing users who installed the compromised plugin to risks associated with malicious code execution within their CI/CD pipelines. The incident also involved unauthorized access to Checkmarx's source code repositories and data leaks. However, no confirmed exploitation in the wild has been reported. The impact is primarily on the integrity and trustworthiness of the plugin distributed via the official Jenkins Marketplace.
Mitigation Recommendations
Users should ensure they are running version 2.0.13-829.vc72453fa_1c16 or later of the Checkmarx Jenkins AST plugin. Checkmarx has released newer patched versions, including 2.0.13-848.v76e89de8a_053, available on GitHub and the Jenkins Marketplace. Users should update to the latest version immediately to mitigate risks from the compromised plugin. Checkmarx is actively managing the remediation. No additional mitigation steps have been advised by the vendor at this time.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/checkmarx-jenkins-ast-plugin-compromised-in-supply-chain-attack/","fetched":true,"fetchedAt":"2026-05-11T09:36:27.475Z","wordCount":930}
Threat ID: 6a01a31bcbff5d8610eaff6d
Added to database: 5/11/2026, 9:36:27 AM
Last enriched: 5/11/2026, 9:36:34 AM
Last updated: 5/11/2026, 10:40:22 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.