TeamPCP Hackers Target Checkmarx Jenkins Integration
Cybersecurity firm Checkmarx fell victim to a sophisticated supply chain attack on May 9, 2026, when threat actors successfully compromised their Jenkins Application Security Testing (AST) plugin. The malicious version was uploaded to the official Jenkins Marketplace, potentially exposing thousands of development teams using the popular static analysis tool in their CI/CD pipelines.
The attack represents the latest in a series of supply chain compromises targeting developer toolchains. Security researchers identified the threat group behind this incident as TeamPCP, the same actors responsible for previous intrusions into software development infrastructure. The compromised plugin contained obfuscated malicious code designed to execute during the build process, giving attackers potential access to source code repositories, build artifacts, and deployment credentials.
According to The Register's investigation, the attack vector involved compromising Checkmarx's plugin publishing credentials through a targeted phishing campaign against their development team. The attackers then used these legitimate credentials to push a backdoored version of the AST plugin, version 2.4.17, which appeared authentic to Jenkins administrators downloading updates.
The malicious plugin maintained full functionality of the original security scanning capabilities while secretly establishing persistence mechanisms within affected Jenkins environments. This dual-purpose approach allowed the compromise to remain undetected for several days, as development teams continued using the plugin for legitimate security testing without realizing their build environments had been infiltrated.
Jenkins security team members discovered the compromise during routine marketplace monitoring when automated systems flagged unusual network traffic patterns from environments running the latest AST plugin version. Immediate analysis revealed the presence of unauthorized code execution capabilities and data exfiltration mechanisms embedded within the plugin's core scanning functions.
Jenkins Environments Running Checkmarx AST Plugin at Risk
Organizations using Jenkins for continuous integration and deployment with the Checkmarx AST plugin installed face potential compromise of their entire software development lifecycle. The malicious plugin version 2.4.17 affects any Jenkins instance that automatically updated or manually installed the plugin between May 7-10, 2026. This includes enterprise development teams, DevOps organizations, and managed service providers relying on Checkmarx's static analysis capabilities.
The scope of impact extends beyond simple plugin functionality to encompass critical development infrastructure components. Affected Jenkins masters running the compromised plugin could provide attackers with access to source code repositories, build secrets, deployment keys, and production environment credentials stored within Jenkins credential stores. Development teams using shared Jenkins instances face particularly high risk, as a single compromised plugin installation could expose multiple projects and repositories.
Financial services, healthcare, and government organizations using Checkmarx AST for compliance scanning represent high-value targets for the TeamPCP group. These sectors typically maintain extensive Jenkins deployments with elevated privileges for automated testing and deployment processes. The plugin's integration with version control systems like Git, SVN, and Perforce means attackers could potentially access intellectual property, customer data, and sensitive business logic across entire software portfolios.
Cloud-native development teams using containerized Jenkins deployments face additional risks, as the malicious plugin could escape container boundaries and compromise underlying Kubernetes clusters or cloud infrastructure. Organizations with hybrid development environments spanning on-premises and cloud resources need to assess both local Jenkins installations and cloud-hosted instances for signs of compromise.
Immediate Response and Mitigation Steps for Jenkins Administrators
Jenkins administrators must immediately remove Checkmarx AST plugin version 2.4.17 from all instances and revert to the previous known-good version 2.4.16. The Jenkins security team has blacklisted the malicious version, preventing new installations, but existing deployments require manual intervention. Administrators should access the Jenkins plugin manager, navigate to installed plugins, and uninstall the Checkmarx AST plugin entirely before reinstalling the verified clean version.
Complete environment assessment requires examining Jenkins build logs for unusual network connections, unauthorized file system access, or suspicious process execution during the compromise window of May 7-10, 2026. Security teams should review Jenkins master and agent system logs for indicators of compromise, including unexpected outbound connections to external IP addresses, unusual CPU or memory usage patterns, and unauthorized access to credential stores or sensitive build artifacts.
Organizations must rotate all credentials accessible to Jenkins environments, including source code repository access tokens, deployment keys, cloud service credentials, and database connection strings. The Hacker News analysis confirms that the malicious plugin specifically targeted Jenkins credential storage mechanisms, making comprehensive credential rotation essential for preventing ongoing unauthorized access.
Network segmentation and monitoring should be implemented immediately to contain potential lateral movement from compromised Jenkins environments. Firewall rules should restrict Jenkins master and agent communications to essential services only, while network monitoring tools should track all connections from affected systems. Development teams should also scan all code repositories for unauthorized commits, suspicious branches, or modified build configurations that could indicate source code tampering during the compromise period.
