TeamPCP Publishes Malicious Checkmarx Jenkins Plugin
Checkmarx confirmed a modified, malicious Jenkins AST plugin reached the Jenkins Marketplace and advised users to run version 2.0.13-829 or earlier.
Checkmarx confirmed that a modified, malicious version of the Jenkins AST plugin was published to the Jenkins Marketplace. The company advised users to use version 2.0.13-829.vc72453fa_1c16, published on December 17, 2025 or earlier, to avoid the compromised release.
As of publication, Checkmarx had posted a later build, 2.0.13-848.v76e89de8a_053, on both GitHub and the Jenkins Marketplace, while an incident update noted the vendor was “in the process of publishing a new version of this plugin.” Checkmarx has not disclosed how the malicious version was uploaded.
Security researchers reported that the group known as TeamPCP gained unauthorized access to the plugin’s GitHub repository and renamed it to “Checkmarx-Fully-Hacked-by-TeamPCP-and-Their-Customers-Should-Cancel-Now.” The repository description was updated to read: “Checkmarx fails to rotate secrets again. with love – TeamPCP.” Checkmarx has not detailed how repository access was obtained or whether internal credentials were exposed.
The compromised plugin follows a series of supply-chain incidents attributed to TeamPCP. In recent weeks the group has been linked to the compromise of a KICS Docker image, two Visual Studio Code extensions and a GitHub Actions workflow that pushed credential-stealing malware. Those breaches briefly led to the Bitwarden CLI npm package being altered to deliver a stealer capable of harvesting developer secrets.
SOCRadar wrote that the recurrence at Checkmarx points to two possibilities: the original remediation may have been incomplete and credentials not fully rotated, or the group retained access that was not identified in the March response. The organization added that a second incident so soon suggests TeamPCP is testing for re-entry points.
Checkmarx repeated its safe-version recommendation and urged customers to verify plugin versions in their environments. The vendor has not published a technical analysis of the malicious code or indicators of compromise and has not confirmed whether customer systems were infected through the Marketplace distribution.
Users who run the Jenkins AST plugin should check their deployments, confirm plugin versions, and follow further updates from Checkmarx.
