Checkmarx Jenkins AST Plugin Compromised in Supply Chain Attack

Checkmarx on Friday warned users that a malicious version of its Jenkins AST plugin was published as part of a supply chain attack. The plugin enables users to integrate the functionality of the Checkmarx One platform into Jenkins pipelines, allowing them to scan source code using the Checkmarx AST platform. “We are aware that a modified version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace. We are in the process of publishing a new version of this plugin,” Checkmarx said on Friday. The company told users to ensure they are running version 2.0.13-829.vc72453fa_1c16 of the Jenkins AST plugin, which was published in December 2025. Over the weekend, Checkmarx released two new versions of the plugin. The latest iteration, 2.0.13-848.v76e89de8a_053, is now available on both GitHub and the Jenkins Marketplace. Checkmarx has not shared information on how the malicious plugin version was published, but the incident is part of the supply chain attack the security firm has been dealing with since March. As a result of the Trivy supply chain attack, the TeamPCP hacker gang accessed Checkmarx’s repositories in late March and published malicious artifacts. A month later, likely due to continuous or renewed attacker access, a new wave of malicious artifacts was published on behalf of Checkmarx. Soon after, the infamous Lapsus$ extortion group publicly released data allegedly stolen from the company’s repositories. The company confirmed at the time that the data was likely stolen from its GitHub repositories in late March, using credentials compromised through the Trivy supply chain attack. Related: Vendor Says Daemon Tools Supply Chain Attack Contained Related: AI Coding Agents Could Fuel Next Supply Chain Crisis Related: Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack Related: 1,800 Hit in Mini Shai-Hulud Attack on SAP, Lightning, Intercom WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Over 500 Organizations Hit in Years-Long Phishing Campaign AI Firm Braintrust Prompts API Key Rotation After Data Breach ‘PCPJack’ Worm Removes TeamPCP Infections, Steals Credentials Vulnerability in Claude Extension for Chrome Exposes AI Agent to Takeover Boost Security Raises $4 Million for SDLC Defense Platform Chrome 148 Rolls Out With 127 Security Fixes Vendor Says Daemon Tools Supply Chain Attack Contained Cisco Patches High-Severity Vulnerabilities in Enterprise Products Latest News Build Application Firewalls Aim to Stop the Next Supply Chain Attack Google Detects First AI-Generated Zero-Day Exploit Skoda Data Breach Hits Online Shop Customers Cloudflare Lays Off 1,100 Employees in AI-Driven Restructuring SailPoint Discloses GitHub Repository Hack Canvas System Is Online After a Cyberattack Disrupted Thousands of Schools New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks Resurrected ‘Crimenetwork’ Marketplace Taken Down, Administrator Arrested Trending Webinar: ROSI For CPS Security Programs May 13, 2026 In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Malwarebytes has named Chung Ip as Chief Financial Officer. Semperis has appointed John Podboy as Chief Information Security Officer. Randy Menon has become Chief Product and Marketing Officer at One Identity. More People On The Move Expert Insights The Mythos Moment: Enterprises Must Fight Agents With Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense In The Age Of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Email