Checkmarx Jenkins AST Plugin Backdoored by TeamPCP in Third Supply Chain Attack

Scope: Checkmarx Jenkins AST Plugin (Version 2026.5.09)

Severity: Red

The TeamPCP hacker group leveraging credentials stolen in the earlier Trivy supply chain attack published a malicious version (2026.5.09) of the official Checkmarx Jenkins Application Security Testing plugin to the Jenkins Marketplace on May 9, 2026, marking the third supply chain compromise of Checkmarx infrastructure within two months. Any Jenkins instance that automatically updated to this version should be treated as fully compromised, as the backdoored plugin is designed to silently harvest all credentials visible to the Jenkins runner including GitHub tokens, AWS/GCP/Azure credentials, Kubernetes configurations, Docker credentials, SSH keys, and API keys stored in environment variables and exfiltrate them to attacker infrastructure. Organizations should immediately verify they are running the safe version 2.0.13-829.vc72453fa_1c16 (published December 17, 2025), rotate all secrets accessible from affected Jenkins runners, review CI/CD build logs for outbound connections to unknown domains, and monitor Checkmarx's official security update page for ongoing IoCs.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

"Mini Shai-Hulud" Supply Chain Worm Compromises TanStack, Mistral AI, and 170+ npm/PyPI Packages (CVE-2026-45321)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

Checkmarx Jenkins AST Plugin Backdoored by TeamPCP in Third Supply Chain Attack

RELATED ADVISORIES

"Mini Shai-Hulud" Supply Chain Worm Compromises TanStack, Mistral AI, and 170+ npm/PyPI Packages (CVE-2026-45321)

Recent Advisories

Categories