TeamPCP Supply Chain Campaign Compromises Checkmarx Jenkins Plugin and Spreads Mini Shai‑Hulud Worm via npm & PyPI
What Happened — The threat‑actor group TeamPCP escalated its supply‑chain operations, confirming a compromise of the Checkmarx Jenkins plugin used in CI/CD pipelines and releasing a self‑propagating Mini Shai‑Hulud worm that targets packages on npm and PyPI. The worm injects malicious payloads into newly published modules, enabling further compromise of downstream applications.
Why It Matters for TPRM —
- Supply‑chain compromises can silently embed malicious code into software that third‑party vendors deliver to your organization.
- CI/CD tool compromises bypass traditional perimeter defenses, giving attackers footholds in build environments.
- Widespread package‑registry infection amplifies risk across any organization that consumes open‑source components.
Who Is Affected — Technology & SaaS firms, software development houses, CI/CD service providers, and any enterprise that integrates open‑source packages from npm or PyPI.
Recommended Actions —
- Audit all third‑party CI/CD plugins, especially Checkmarx, for unauthorized changes.
- Enforce strict SBOM verification and provenance checks for npm/PyPI dependencies.
- Apply network segmentation and runtime integrity monitoring to build servers.
Technical Notes — Attack vector: compromised third‑party dependency (Checkmarx Jenkins plugin) and malicious package publication (npm/PyPI). The Mini Shai‑Hulud worm leverages package‑registry write permissions to self‑replicate. No specific CVE disclosed; the threat relies on trust relationships and inadequate package vetting. Source: SANS Internet Storm Center