Checkmarx recently alerted users about a security breach involving its Jenkins AST plugin, which was compromised as a result of a sophisticated supply chain attack. The plugin, integral for integrating Checkmarx One platform functionalities within Jenkins pipelines, was altered with malicious intent and released on the Jenkins Marketplace.
Compromised Plugin Discovered
In an official statement on Friday, Checkmarx acknowledged the presence of a tampered version of their Jenkins AST plugin. The company noted that efforts were already underway to deploy a corrected version to rectify the issue. Users are advised to verify that they are utilizing version 2.0.13-829.vc72453fa_1c16, which was made available in December 2025.
To address the breach, Checkmarx unveiled two updated versions of the plugin over the weekend. The latest release, identified as 2.0.13-848.v76e89de8a_053, has been made accessible on both GitHub and the Jenkins Marketplace, ensuring users can safeguard their systems against potential threats.
Ongoing Supply Chain Threats
While the specifics of how the malicious plugin was introduced remain undisclosed, this incident is not isolated. It forms part of a larger supply chain attack impacting Checkmarx since March. The initial breach, identified as the Trivy supply chain attack, allowed the TeamPCP hacker group to infiltrate Checkmarx’s repositories, subsequently distributing tainted artifacts.
In April, further compromised artifacts were released, suggesting either persistent access by the attackers or renewed breach attempts. The notorious cyber-extortion group Lapsus$ later claimed responsibility for releasing data allegedly stolen from Checkmarx’s repositories.
Security and Prevention Measures
Checkmarx confirmed that the stolen data was likely exfiltrated from their GitHub repositories using credentials compromised during the Trivy attack. This series of incidents underscores the critical nature of robust cybersecurity measures, especially in safeguarding supply chains that can become potential attack vectors.
Such breaches highlight the growing threat landscape and the need for continuous vigilance and security updates to protect sensitive data and maintain the integrity of software distribution channels.
Checkmarx’s response, including the swift release of secure plugin versions, demonstrates a proactive approach to managing such crises, though the incidents underline the persistent challenges faced by companies in defending against sophisticated cyber threats.
