Checkmarx Jenkins plugin shipped backdoor

TeamPCP returned to Checkmarx through a channel built for trust: the Jenkins AST Scanner plugin. Checkmarx said a modified version of the plugin was published to the Jenkins Marketplace, where Jenkins controllers could pull it as a normal security-scanning integration. The compromised version was 2026.5.09.

The impact was not limited to the plugin process itself. A Jenkins scanner plugin runs inside CI/CD infrastructure, close to source code, environment variables, credentials stores, cloud tokens, Kubernetes material, and deployment secrets. That makes a backdoored security tool a direct path into the systems it was meant to inspect.

Public reporting also described GitHub-side defacement. The plugin repository was renamed with a TeamPCP taunt and its description claimed Checkmarx failed to rotate secrets, matching the actor's habit of pairing payload delivery with public humiliation. The incident followed March and April Checkmarx artifact compromises, so this record stays separate by date and artifact scope while preserving the repeated-access pattern.

Checkmarx published malicious artifact hashes for the HPI, JAR, and POM files and told users to ensure they were on 2.0.13-829.vc72453fa_1c16 from December 17, 2025 or an earlier safe version while clean releases were restored. Jenkins update metadata later showed clean May 9 releases 2.0.13-847.v08c0072b_2fd5 and 2.0.13-848.v76e89de8a_053.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• Update: Ongoing Checkmarx Supply Chain Security Incidentcheckmarx.com
• Checkmarx Jenkins Plugin Backdoored in New TeamPCP Supply Chain Attacksocradar.io
• Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotagedtheregister.com
• Checkmarx AST Scanner Jenkins Update Metadataupdates.jenkins.io
• Checkmarx AST Scanner Jenkins Plugin Releasesplugins.jenkins.io