Executive Summary
In May 2026, the cybercriminal group TeamPCP executed a supply chain attack by publishing a malicious version of the Checkmarx Jenkins AST plugin to the Jenkins Marketplace. This compromised plugin, identified as version 2026.5.09, was designed to exfiltrate sensitive information from Jenkins instances, including GitHub tokens, cloud credentials, and SSH keys. Checkmarx promptly advised users to revert to the verified safe version 2.0.13-829.vc72453fa_1c16, released on December 17, 2025, and to rotate all potentially exposed secrets. This incident underscores the escalating threat posed by supply chain attacks targeting development tools and the necessity for organizations to implement stringent security measures within their CI/CD pipelines. The recurrence of such attacks highlights the importance of continuous monitoring and verification of third-party components to safeguard against unauthorized modifications and potential data breaches.
Why This Matters Now
The recent compromise of the Checkmarx Jenkins AST plugin by TeamPCP highlights the increasing sophistication and frequency of supply chain attacks targeting development tools. Organizations must prioritize the security of their CI/CD pipelines to prevent unauthorized access and data breaches.
Attack Path Analysis
TeamPCP compromised the Checkmarx Jenkins AST plugin by publishing a backdoored version to the Jenkins Marketplace, leading to unauthorized access and potential credential theft. The attackers escalated privileges by exploiting the compromised plugin to access sensitive credentials within Jenkins environments. They moved laterally by leveraging stolen credentials to infiltrate connected systems and services. Command and control were established through exfiltration of credentials and data to attacker-controlled domains. Exfiltration involved transmitting sensitive information, including cloud provider credentials and SSH keys, to external servers. The impact included potential unauthorized access to cloud resources, data breaches, and further supply chain compromises.
Kill Chain Progression
Initial Compromise
Description
TeamPCP published a backdoored version of the Checkmarx Jenkins AST plugin to the Jenkins Marketplace, leading to its installation in Jenkins environments.
Related CVEs
CVE-2026-33634
CVSS 8.8A malicious version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace, allowing unauthorized code execution.
Affected Products:
Checkmarx Jenkins AST Plugin – 2026.5.09
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Modify Authentication Process: Credential API Hooking
Valid Accounts
Subvert Trust Controls: Code Signing
Obfuscated Files or Information
Command and Scripting Interpreter: Unix Shell
Application Layer Protocol: Web Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Supply Chain Risk Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting Jenkins AST plugins directly compromise CI/CD pipelines, affecting code security validation and development workflows across software organizations.
Computer/Network Security
Cybersecurity firms using compromised Checkmarx Jenkins plugins face integrity risks in security scanning tools, potentially missing vulnerabilities in client assessments.
Financial Services
Banks and financial institutions relying on automated security testing through Jenkins face compliance violations and increased risk from undetected vulnerabilities.
Information Technology/IT
IT service providers using Jenkins AST plugins risk delivering compromised software to clients, creating cascading security failures across customer environments.
Sources
- TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attackhttps://thehackernews.com/2026/05/teampcp-compromises-checkmarx-jenkins.htmlVerified
- Checkmarx Jenkins plugin compromised in new supply chain attackhttps://www.techzine.eu/news/security/141212/checkmarx-jenkins-plugin-compromised-in-new-supply-chain-attack/Verified
- Checkmarx AST Scanner | Jenkins pluginhttps://plugins.jenkins.io/checkmarx-ast-scanner/Verified
- Checkmarx One Jenkins Pluginhttps://docs.checkmarx.com/en/34965-68685-checkmarx-one-jenkins-plugin.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and controlled access policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF may have limited the reach of the compromised plugin by enforcing strict workload isolation, thereby reducing the potential for unauthorized access.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could have constrained the attacker's ability to escalate privileges by enforcing strict access controls, thereby limiting unauthorized access to sensitive credentials.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could have limited the attacker's lateral movement by monitoring and controlling internal traffic, thereby reducing unauthorized access to connected systems.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could have constrained the attacker's command and control capabilities by monitoring and controlling outbound communications, thereby reducing unauthorized data transmission.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could have limited data exfiltration by enforcing strict outbound traffic policies, thereby reducing unauthorized data transmission to external servers.
The implementation of Aviatrix Zero Trust CNSF could have reduced the overall impact by limiting unauthorized access to cloud resources and containing the blast radius of the breach.
Impact at a Glance
Affected Business Functions
- Continuous Integration/Continuous Deployment (CI/CD) Pipelines
- Software Development Lifecycle
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of source code and build artifacts.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict plugin access to sensitive credentials.
- • Enforce East-West Traffic Security to monitor and control lateral movement within the network.
- • Utilize Multicloud Visibility & Control to detect and respond to unauthorized access across cloud environments.
- • Apply Egress Security & Policy Enforcement to prevent exfiltration of sensitive data to unauthorized domains.
- • Deploy Threat Detection & Anomaly Response systems to identify and mitigate suspicious activities promptly.
