The Checkmarx Jenkins AST plugin was compromised in a supply chain attack when a malicious version was published to the Jenkins Marketplace. This plugin integrates Checkmarx One platform scanning capabilities into Jenkins pipelines. The compromise stems from unauthorized access to Checkmarx's repositories, linked to the Trivy supply chain attack and subsequent data leaks by threat actors TeamPCP and Lapsus$. Checkmarx has released patched plugin versions starting with 2.0.13-829.vc72453fa_1c16 and later updates to remediate the issue. The company has not disclosed the exact method of malicious plugin publication but is actively mitigating the threat.

The supply chain compromise allowed attackers to publish a malicious version of the Jenkins AST plugin, potentially exposing users who installed the compromised plugin to risks associated with malicious code execution within their CI/CD pipelines. The incident also involved unauthorized access to Checkmarx's source code repositories and data leaks. However, no confirmed exploitation in the wild has been reported. The impact is primarily on the integrity and trustworthiness of the plugin distributed via the official Jenkins Marketplace.

Users should ensure they are running version 2.0.13-829.vc72453fa_1c16 or later of the Checkmarx Jenkins AST plugin. Checkmarx has released newer patched versions, including 2.0.13-848.v76e89de8a_053, available on GitHub and the Jenkins Marketplace. Users should update to the latest version immediately to mitigate risks from the compromised plugin. Checkmarx is actively managing the remediation. No additional mitigation steps have been advised by the vendor at this time.