""We are aware that a modified version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace," it said in a statement. "We are in the process of publishing a new version of this plug-in." Versions published as of May 9, 2026, should not be trusted, it added, before urging all users to check they're running the correct release (2.0.13-829.vc72453fa_1c16) published on December 17, 2025."
""What makes this particularly dangerous for Jenkins users is the trust model at play," said SOCRadar in its coverage. "The Checkmarx Jenkins plugin is a tool people install specifically to improve the security of their pipelines. A backdoored version doesn't just compromise one project; it rides trusted infrastructure into every build pipeline it touches, with access to source code, environment variables, tokens, and whatever secrets the runner can see.""
""Installed by several hundred controllers, the plugin remains available at the time of writing, and appears as the most recently available version, although pull requests actioned on Monday morning suggest this will soon be pulled down.""
""Security engineer Adnan Khan spotted the compromise quickly over the weekend. The crew behind the early supply chain attack affecting Checkmarx in April, TeamPCP, defaced the company's GitHub and published six packages, each with a description alluding to the Shai-Hulud wormable malware.""
A malicious version of the Checkmarx Jenkins AST Scanner plugin was uploaded to the Jenkins Marketplace and made available over the weekend. Checkmarx detected the unauthorized publication and began preparing a new plugin version. Users were warned not to trust versions published as of May 9, 2026, and were urged to verify they are running the correct release, 2.0.13-829.vc72453fa_1c16, published on December 17, 2025. The compromised plugin was installed on several hundred Jenkins controllers and remained available at the time of reporting. The risk comes from Jenkins trust: a backdoored plugin can access source code, environment variables, tokens, and secrets across build pipelines it touches. A related supply-chain incident in April involved TeamPCP defacing Checkmarx’s GitHub and publishing packages referencing wormable malware.
Read at theregister
Unable to calculate read time
Collection
[
|
...
]