"We are aware that a modified version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace. We are in the process of publishing a new version of this plugin,"
"The company told users to ensure they are running version 2.0.13-829.vc72453fa_1c16 of the Jenkins AST plugin, which was published in December 2025."
"Over the weekend, Checkmarx released two new versions of the plugin. The latest iteration, 2.0.13-848.v76e89de8a_053, is now available on both GitHub and the Jenkins Marketplace."
"As a result of the Trivy supply chain attack, the TeamPCP hacker gang accessed Checkmarx's repositories in late March and published malicious artifacts. A month later, likely due to continuous or renewed attacker access, a new wave of malicious artifacts was published on behalf of Checkmarx. Soon after, the infamous Lapsus$ extortion group publicly released data allegedly stolen from the company's repositories."
A malicious version of the Checkmarx Jenkins AST plugin was published on the Jenkins Marketplace as part of a supply chain attack. The plugin integrates Checkmarx One scanning capabilities into Jenkins pipelines by enabling source code scans using the Checkmarx AST platform. Checkmarx warned users and instructed them to run a specific December 2025 plugin version, 2.0.13-829.vc72453fa_1c16. Over the weekend, Checkmarx released two updated plugin versions, with the latest 2.0.13-848.v76e89de8a_053 available on GitHub and the Jenkins Marketplace. Checkmarx did not provide details on how the malicious version was published. The incident aligns with earlier repository compromise activity tied to the Trivy supply chain attack, followed by additional malicious artifact releases and later data exposure by Lapsus$.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]