TeamPCP Supply Chain Attack Targets Checkmarx Jenkins Plugin: Second Compromise in Weeks
Threat actor TeamPCP compromised the Checkmarx Jenkins AST plugin on the Jenkins Marketplace, following their earlier attack on Checkmarx's KICS tool. Affected users must immediately downgrade to version 2.0.13-829.vc72453fa_1c16 or earlier to avoid potential system compromise.
Affected
TeamPCP has demonstrated a sustained campaign against Checkmarx's ecosystem by compromising a second vector within weeks of the KICS supply chain attack. This pattern suggests either persistent access to Checkmarx's infrastructure, compromised credentials with elevated privileges, or inadequate code review and release procedures across multiple product lines. The timing and targeting indicate the threat actor possesses sufficient operational knowledge to identify and exploit Checkmarx's weakest security controls.
The Jenkins AST plugin represents a particularly high-value target for compromise. Jenkins is ubiquitous in CI/CD pipelines across financial services, software development, and critical infrastructure organisations. A malicious plugin gains execution context on build servers that typically possess credentials for source code repositories, artifact storage, and deployment systems. Compromised versions distributed through the official marketplace carry implicit trust that makes detection harder than ad-hoc malware campaigns.
Checkmarx's mitigation guidance specifies a narrow version range (2.0.13-829.vc72453fa_1c16 and earlier are safe), implying versions released after December 17, 2025 contain malicious payloads. The incomplete advisory suggests ongoing investigation. Organisations running newer versions should assume potential compromise of any secrets, code, or artifacts processed by affected Jenkins instances.
Defenders must immediately audit Jenkins plugin versions across their infrastructure, review build logs and artifact deployments from affected periods, and rotate any credentials accessible to Jenkins service accounts. This incident reveals a significant gap in software supply chain security: neither Checkmarx nor the Jenkins project appears to have detected tampered plugin code before marketplace distribution, indicating insufficient verification mechanisms for released components.
The repeated targeting of Checkmarx's development infrastructure suggests this organisation faces determined adversaries capable of sophisticated attacks. Customers should consider whether Checkmarx products align with their risk tolerance given evidence of compromised supply chains. This extends beyond individual vulnerability management to fundamental questions about vendor security posture and whether tools designed to improve security can themselves become attack vectors when their providers are compromised.
Sources