Executive Summary
In May 2026, Checkmarx's Jenkins Application Security Testing (AST) plugin was compromised by the hacker group TeamPCP. The attackers published a malicious version of the plugin on the Jenkins Marketplace, embedding credential-stealing malware. This breach was facilitated by credentials obtained from a prior supply chain attack on the Trivy vulnerability scanner in March 2026. The malicious plugin, version 2026.5.09, was uploaded on May 9, 2026, and users who installed this version are advised to rotate all secrets and investigate for potential lateral movement or persistence. This incident underscores the escalating trend of supply chain attacks targeting development tools and the critical need for robust security measures in CI/CD pipelines. Organizations must remain vigilant, ensuring the integrity of third-party plugins and promptly addressing any security advisories to mitigate potential risks.
Why This Matters Now
This incident highlights the increasing sophistication of supply chain attacks targeting development tools, emphasizing the urgent need for organizations to enhance their security protocols and ensure the integrity of third-party software components.
Attack Path Analysis
The attackers initially compromised Checkmarx's GitHub repositories by leveraging credentials obtained from a prior supply chain attack on the Trivy vulnerability scanner. They escalated their privileges within the GitHub environment, allowing them to modify and publish malicious versions of the Jenkins AST plugin. The malicious plugin was then distributed through the Jenkins Marketplace, enabling the attackers to move laterally into the environments of users who installed the compromised plugin. The plugin established command and control channels to exfiltrate sensitive information, including credentials and other data, from the affected systems. The exfiltrated data was used to further compromise additional environments, leading to significant operational disruptions and potential data breaches.
Kill Chain Progression
Initial Compromise
Description
Attackers gained access to Checkmarx's GitHub repositories using credentials obtained from a prior supply chain attack on the Trivy vulnerability scanner.
Related CVEs
CVE-2026-33634
CVSS 8.8A malicious version of the Checkmarx Jenkins AST plugin was published, allowing unauthorized code execution and potential credential theft.
Affected Products:
Checkmarx Jenkins AST Plugin – 2026.5.09
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Valid Accounts
Credentials from Password Stores
Application Layer Protocol
Obfuscated Files or Information
Command and Scripting Interpreter
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure the integrity of software and firmware
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
CISA ZTMM 2.0 – Supply Chain Risk Management
Control ID: Supply Chain Security
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Jenkins CI/CD pipeline compromise via backdoored Checkmarx plugin exposes software development environments to credential theft and supply chain infiltration risks.
Computer/Network Security
Security vendors face cascading supply chain attacks targeting developer tools, compromising security scanning capabilities and requiring comprehensive credential rotation protocols.
Information Technology/IT
IT organizations using Jenkins automation face lateral movement risks from compromised AST plugins, requiring immediate security validation and egress monitoring implementations.
Financial Services
Banking CI/CD pipelines vulnerable to credential harvesting through compromised security plugins, threatening regulatory compliance and requiring enhanced zero trust segmentation.
Sources
- Official CheckMarx Jenkins package compromised with infostealerhttps://www.bleepingcomputer.com/news/security/official-checkmarx-jenkins-package-compromised-with-infostealer/Verified
- Update: Ongoing Checkmarx Supply Chain Security Incidenthttps://checkmarx.com/blog/ongoing-security-updates/Verified
- Checkmarx Jenkins plugin compromised in new supply chain attackhttps://www.techzine.eu/news/security/141212/checkmarx-jenkins-plugin-compromised-in-new-supply-chain-attack/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit compromised credentials would likely be limited, reducing unauthorized access to critical repositories.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges within the GitHub environment would likely be constrained, reducing the risk of unauthorized modifications.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally into user environments would likely be restricted, reducing the spread of the malicious plugin.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely be detected and disrupted, reducing external communications.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing data loss.
The attacker's ability to leverage exfiltrated data for further compromises would likely be limited, reducing the scope of operational disruptions.
Impact at a Glance
Affected Business Functions
- Continuous Integration/Continuous Deployment (CI/CD) Pipelines
- Application Security Testing
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of developer credentials, including GitHub tokens, cloud service credentials, and SSH keys.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access and limit the spread of malicious code within the network.
- • Enhance East-West Traffic Security to monitor and control internal communications, preventing lateral movement of threats.
- • Deploy Egress Security & Policy Enforcement to detect and block unauthorized data exfiltration attempts.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into cloud environments and detect anomalous activities.
- • Establish robust Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious behaviors promptly.
