Checkmarx has acknowledged that a tampered version of its Jenkins AST plugin was uploaded to the Jenkins Marketplace. Users are urged to verify they are using version 2.0.13-829.vc72453fa_1c16 or earlier, which was released on December 17, 2025, to avoid security risks, as stated by the cybersecurity firm over the weekend.
Recent Developments in the Checkmarx Breach
The company has since rolled out version 2.0.13-848.v76e89de8a_053 on both GitHub and the Jenkins Marketplace. However, the update acknowledges that the process of publishing a new version continues. Details on how the compromised plugin was initially distributed remain undisclosed.
This incident is the most recent attack executed by the cybercrime group known as TeamPCP against Checkmarx. The attack follows a few weeks after the group’s earlier compromise of Checkmarx’s KICS Docker image, two Visual Studio Code extensions, and a GitHub Actions workflow, all aimed at deploying credential-stealing malware.
Impact of TeamPCP’s Continued Attacks
This breach resulted in a temporary compromise of the Bitwarden CLI npm package, which was manipulated to serve a stealer targeting various developer secrets. TeamPCP has been linked to multiple security breaches since March 2026, employing a strategy that capitalizes on the inherent trust within the software supply chain.
Security experts, including Adnan Khan and SOCRadar, revealed that TeamPCP managed to infiltrate the plugin’s GitHub repository, renaming it provocatively and adding a description mocking Checkmarx’s security measures. The repository’s defacement highlighted a failure in rotating secrets.
Analysis and Future Implications
SOCRadar speculates that the resurgence of TeamPCP within Checkmarx systems shortly after the initial incident indicates either incomplete remediation or the presence of an undiscovered foothold from the March attack. The recurrence of an incident so soon underscores the group’s vigilance in identifying re-entry points and exploiting any overlooked vulnerabilities.
The ongoing threat posed by TeamPCP necessitates rigorous security practices and comprehensive incident responses. Organizations must remain vigilant and proactive in safeguarding against such sophisticated supply chain attacks.
