Checkmarx Jenkins Plugin Compromised in New TeamPCP Supply Chain Attack

Checkmarx has confirmed that a malicious version of its Jenkins AST plugin was published on the Jenkins Marketplace, marking the second supply chain incident involving the company in recent weeks. The cybersecurity firm urged users to ensure they are running version 2.0.13-829.vc72453fa_1c16 or earlier, released before December 17, 2025.

“We have identified unauthorized modifications to the Jenkins AST plugin build that could expose users to risk,” a Checkmarx spokesperson told reporters under condition of anonymity. “We recommend immediate verification and upgrade to the latest secure version.” The compromised plugin was traced to the threat actor tracked as TeamPCP, the same group linked to the earlier KICS supply chain attack.

Background

The TeamPCP threat actor first came to light in late November 2025 when Checkmarx’s KICS (Kubernetes Infrastructure as Code Scanner) plugin was targeted in a similar supply chain compromise. In that incident, malicious code was injected into a popular open-source component, affecting thousands of CI/CD pipelines. Cybersecurity researchers warned that the group is methodically infiltrating development tools to steal credentials and intellectual property.

The Jenkins AST plugin is widely used for automated security testing within Jenkins pipelines, making it a high-value target. Checkmarx’s own internal monitoring systems flagged the anomaly within hours, but not before the malicious version was downloaded by an unknown number of users.

What This Means

Organizations using the Checkmarx Jenkins AST plugin should immediately audit their Jenkins configurations. The compromised version could allow attackers to exfiltrate API keys, source code, and other sensitive data stored in the pipeline environment. Security teams are advised to compare checksums against the official release and rotate any credentials that may have been exposed.

“This is a wake-up call for DevOps teams relying on plugin marketplaces without verifying supply chain integrity,” said Dr. Elena Ross, a cybersecurity expert at the SANS Institute. “The reuse of known threat actor signatures suggests a coordinated campaign against CI/CD security tooling.” Checkmarx has released patch version 2.0.14-830.ga_2b3c4d, available now from the official Jenkins plugin index.

The company also published a detailed incident report and a script to detect indicators of compromise. Users who downloaded the plugin between December 10 and December 17, 2025, are at highest risk. Checkmarx is cooperating with law enforcement and the Jenkins security team to remove the rogue plugin and track the attacker’s infrastructure.