Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Home/Threats/Critical Checkmarx Plugin Vulnerability Exposed Jenkins AST Users
Threats

Critical Checkmarx Plugin Vulnerability Exposed Jenkins AST Users

Key Takeaways A malicious version of the Checkmarx Jenkins AST plugin (version 2026.5.09) was distributed via the Jenkins Marketplace, exposing CI/CD pipelines to credential theft. This incident is...

Jennifer sherman
Jennifer sherman
May 12, 2026 4 Min Read
43 0

Key Takeaways

  • A malicious version of the Checkmarx Jenkins AST plugin (version 2026.5.09) was distributed via the Jenkins Marketplace, exposing CI/CD pipelines to credential theft.
  • This incident is part of a broader supply chain attack by the threat actor TeamPCP, originating from a compromise of the Trivy scanner and Checkmarx’s GitHub repositories.
  • The attack aimed to exfiltrate sensitive credentials and secrets, including GitHub tokens, cloud credentials (AWS, Azure, Google Cloud), Kubernetes tokens, SSH keys, and Docker registry credentials.
  • Organizations that downloaded and used the malicious plugin between May 9, 2026, 01:25 UTC, and May 10, 2026, 08:47 UTC, are at risk.
  • Checkmarx has removed the compromised plugin and is working on a clean replacement. Immediate mitigation steps, including credential rotation and network blocking, are strongly advised.

A recent, sophisticated supply chain attack has targeted a widely used application security tool, Checkmarx, through its Jenkins AST plugin. In May 2026, a malicious iteration of the plugin, version 2026.5.09, was covertly published to the Jenkins Marketplace. This compromise opened development pipelines to potential credential theft and unauthorized access, as detailed in a comprehensive report.

Table Of Content

  • Key Takeaways
  • The Chronology of a Supply Chain Breach
  • The Jenkins Plugin Compromise
  • KICS and the Broader Artifact Exposure
  • What You Should Do

The incident has been linked to the threat actor known as TeamPCP. Their earlier compromise of the open-source Trivy scanner initiated a cascading series of events with far-reaching implications across the software development ecosystem.

The Chronology of a Supply Chain Breach

The attack unfolded over several weeks, beginning on March 23, 2026. Attackers successfully injected malicious code directly into Checkmarx’s GitHub repository. This initial breach is believed to stem from credentials acquired during TeamPCP’s earlier supply chain compromise of the Trivy scanner, an incident the security community had identified on March 19 as a potential vector for harvesting credentials from downstream users and their connected systems. Analysts at Checkmarx have since traced the likely attack path back to this initial Trivy compromise, concluding that the stolen credentials facilitated unauthorized access to their GitHub environment. Once inside, the attackers manipulated internal repositories, embedding malicious code into critical artifacts distributed to developers globally.

The Jenkins Plugin Compromise

The campaign rapidly escalated into a multi-stage operation. A second wave of malicious artifacts appeared on April 22, 2026, suggesting that the attackers either maintained or regained access despite initial containment efforts. Subsequently, on April 25, the cybercriminal group LAPSUS$ publicized data stolen from Checkmarx’s GitHub repositories on the dark web, nearly a month after the suspected data exfiltration on March 30.

The full extent of the compromise became apparent in May when the tampered Jenkins AST plugin, version 2026.5.09, was uploaded to the Jenkins Marketplace. This provided the attackers with a new and dangerous foothold within CI/CD pipelines worldwide. The malicious plugin was engineered to mimic legitimate functionality, making detection challenging for development teams during routine pipeline executions. The exposure window for this specific plugin extended from May 9, 2026, at 01:25 UTC, to May 10, 2026, at 08:47 UTC.

Any organization that downloaded and integrated this specific plugin version into an active build pipeline during the aforementioned period may have been compromised. Checkmarx confirmed that the last known secure version was 2.0.13-829.vc72453fa_1c16, released in December 2025. Teams operating this version or any prior release are not considered affected by this particular phase of the attack. Checkmarx has acted swiftly to remove the malicious plugin and is in the process of releasing a verified, clean replacement. Organizations relying on automated plugin updates face heightened risk, as the compromised version could have been silently integrated without any apparent changes to their build configurations.

KICS and the Broader Artifact Exposure

The April offensive simultaneously impacted a wider array of developer tools. The public KICS Docker image on DockerHub was compromised between April 22, 2026, 12:31 UTC, and 12:59 UTC. On the same day, the ast-github-action was tampered with between 14:17 and 15:41 UTC. Furthermore, malicious versions of the VS Code extensions for Checkmarx AST results and Developer Assist were distributed across both the Microsoft and Open VSX marketplaces.

The investigation revealed that the primary objective of the malicious code was the collection and attempted exfiltration of sensitive credentials and secrets from affected development environments. The targeted data included GitHub personal access tokens, cloud credentials for AWS, Azure, and Google Cloud, Kubernetes service account tokens, SSH keys, and Docker registry credentials.

What You Should Do

  • Immediately block outbound access to checkmarx.cx and audit.checkmarx.cx at the network perimeter.
  • Rotate all potentially exposed credentials, including GitHub personal access tokens, cloud credentials (AWS, Azure, Google Cloud), Kubernetes service account tokens, SSH keys, and Docker registry credentials.
  • Pin all development tools and dependencies to verified SHA hashes to prevent silent updates to malicious versions.
  • Disable automatic update features for all IDE extensions, especially those related to Checkmarx products.
  • Review CI/CD logs for any references to suspicious files like tpcp.tar.gz, attacker-controlled domains such as checkmarx.zone, or unexpected repositories like tpcp-docs.
  • Verify the integrity of all Checkmarx plugins and extensions against the last known safe version (2.0.13-829.vc72453fa_1c16 for Jenkins AST plugin) or official, remediated releases.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Android Zero-Click Vulnerability Gets PoC Exploit

Next Post

Magecart Hackers Use Google Tag Manager for Credit Card Skimmers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Automotive Manufacturer Boosts SOC Triage Speed, Closes Supplier Security Gap
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us