Supply Chain Attack Compromises Checkmarx Jenkins AST Plugin, Exposing DevOps Pipelines
What Happened — A malicious version of Checkmarx’s Jenkins AST (Application Security Testing) plugin was uploaded to the official Jenkins Marketplace, likely by the TeamPCP threat group. The compromised plugin was released weeks after a separate KICS supply‑chain incident, indicating a coordinated effort to target DevOps tooling.
Why It Matters for TPRM —
- Third‑party build tools can become a conduit for malicious code into enterprise environments.
- Compromise of a security‑testing plugin defeats the very controls organizations rely on to detect vulnerabilities.
- The incident highlights the need for continuous verification of vendor‑supplied components in CI/CD pipelines.
Who Is Affected — Organizations that integrate Checkmarx’s AST plugin into Jenkins for static code analysis, across technology, finance, healthcare, and other sectors that practice DevSecOps.
Recommended Actions —
- Immediately verify the plugin version; only version 2.0.13‑829.vc72453fa_1c16 (Dec 17 2025) or earlier is approved.
- Remove any unverified or newer versions from Jenkins instances.
- Enforce signed‑artifact verification for all CI/CD plugins.
- Conduct a post‑deployment audit to detect any unauthorized code or credential changes.
Technical Notes — The malicious plugin likely leveraged a supply‑chain insertion vector, embedding a backdoor that could execute arbitrary commands on build agents. No specific CVE is cited, but the attack exploits the trust relationship between Jenkins Marketplace and downstream users. Source: The Hacker News