Supply‑Chain Attack: Rogue Checkmarx Jenkins AST Plugin Distributes Credential‑Stealing Infostealer
What Happened — A malicious version of Checkmarx’s Jenkins Application Security Testing (AST) plugin was published to the Jenkins Marketplace. The plugin was back‑doored by the TeamPCP group to harvest developer credentials and other secrets.
Why It Matters for TPRM —
- Supply‑chain compromise of a widely‑used CI/CD component can expose downstream customers’ code and credentials.
- Credential‑stealing malware can lead to further lateral movement against software supply chains and production environments.
- Re‑use of stolen GitHub credentials across multiple developer tools amplifies risk for any organization that trusts the compromised plugin.
Who Is Affected — Software development teams, DevSecOps service providers, CI/CD platform operators, and any organization that integrates the Checkmarx AST plugin into its pipelines (primarily technology/SaaS vendors).
Recommended Actions —
- Immediately verify the plugin version in use; downgrade to the last known clean release (2.0.13‑829.vc72453fa_1c16) or remove the plugin.
- Rotate all GitHub, Docker, and VSCode credentials that may have been exposed.
- Conduct a forensic review of CI/CD logs for unauthorized activity.
- Update supply‑chain security controls (code signing verification, repository access monitoring, least‑privilege service accounts).
Technical Notes — The attackers leveraged stolen GitHub credentials obtained in a prior Trivy supply‑chain breach to push a modified Jenkins AST plugin artifact. The malicious code functions as an infostealer, harvesting SSH keys, API tokens, and environment variables from developer machines. No CVE is associated; the vector is a third‑party dependency compromise. Source: BleepingComputer