checkmarx-jenkins-ast-plugin

Incident Summary

Checkmarx Jenkins AST plugin compromised

A modified Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace as version 2026.5.09. Checkmarx advised users to avoid the malicious release and remain on version 2.0.13-829.vc72453fa_1c16 or earlier, keeping CI pipelines off the poisoned plugin until a clean build was available.

Date: 2026-05-09 to 2026-05-10
Category: Commercial
Target Surface: Other
Insertion Phase: distribution
Impact: Credential theft
Cause: Compromised Account/Credentials

What Was Affected

Package checkmarx-jenkins-ast-plugin

LanguageJava

ComponentPlugin

Artifact typeplugin

Domain typepackage host

Domain plugins.jenkins.io

Repository plugins.jenkins.io/checkmarx-ast-scanner

Compromised Versions

2026.5.09

Incident Context

Motive: Credential Theft
Attribution: Advanced Persistent Threat
Transitive: Yes
User Impact: 0
Observed Duration: 1 days

Evidence

Compromised Artifacts

plugins.jenkins.io/checkmarx-ast-scanner

Indicators and Changes

Hashes

sha256:01ff1e56fd59a8fa525d97e670f7f297a1a204331b89b2cd4e36a9abc6419203
sha256:f50a96d26a5b0beb29de4127e82b2bf350c21511e5a43d286e43f798dc6cd53f
sha256:3ddb8967919a801b3c383e58cddceab21138134c6a26560d99e2672e86f36f2a

External References

checkmarx.com/blog/ongoing-security-updates

Source Data

Source record: proprietary/checkmarx-ast/meta.yaml