Checkmarx Jenkins Plugin Hit in Supply Chain Attack

The threat actor group known as TeamPCP has compromised the Checkmarx Jenkins AST Plugin, marking a second significant supply chain hit in quick succession after their earlier attack on KICS (Keeping Infrastructure as Code Secure). The Checkmarx Jenkins AST Plugin supply chain attack is a direct threat to any development team using this plugin in their CI/CD pipeline, and the timing raises serious questions about the group's access and persistence.

How the TeamPCP Supply Chain Attack Works

Supply chain attacks targeting plugins are particularly dangerous because they hijack trusted tooling. When a developer installs or updates the Checkmarx Jenkins AST Plugin, they expect signed, verified code from Checkmarx. If TeamPCP managed to push malicious code into the plugin's distribution channel, every pipeline that pulls the update automatically executes attacker-controlled code.

The KICS attack followed the same pattern. Compromising two separate Checkmarx tools within weeks suggests either credential access to Checkmarx's publishing infrastructure, a compromised maintainer account, or a vulnerability in the release pipeline itself. None of those options are good. The attacker doesn't need to break into your environment if your build tooling does it for them.

What's at Risk in Your CI/CD Pipeline

Jenkins plugins run with significant permissions inside build environments. The AST plugin specifically interacts with source code scanning workflows, which means it has access to source code, environment variables, secrets injected at build time, and potentially artifact repositories.

A compromised plugin could exfiltrate source code, steal credentials stored as Jenkins secrets, inject malicious artifacts into your build outputs, or create backdoors in compiled binaries before they ship. Developers often grant Jenkins nodes broad permissions precisely because the tooling needs them. That trust becomes an attack vector when the plugin itself is malicious.

The back-to-back hits on KICS and now the Jenkins AST Plugin also suggest TeamPCP may be specifically targeting the Checkmarx ecosystem. If you use other Checkmarx integrations in your pipeline, treat them as potentially at risk until Checkmarx provides a full incident disclosure.

Immediate Steps to Protect Your Build Pipeline

First, audit which version of the Checkmarx Jenkins AST Plugin is running in your environment. Cross-reference against any integrity hashes or verified releases Checkmarx publishes. If they haven't published verified hashes, that's a gap worth flagging directly to their security team.

Second, review Jenkins plugin permissions. Plugins should run with the minimum access required. Secrets should not be exposed to plugins that don't explicitly need them. Consider using credential binding patterns that limit secret scope to specific build steps.

Third, check your plugin update policy. Auto-update on Jenkins plugins is convenient, but it's exactly the attack surface TeamPCP exploited. Pin plugin versions and treat updates as deployments that require review, not background maintenance.

Fourth, scan your pipeline outputs. If compromised code ran in your build environment, artifacts produced during that window should be treated as suspect. Run integrity checks and consider rebuilding from a verified clean state. You can scan your web-facing application endpoints at /scan to check for indicators of compromise that may have made it through to deployed environments.

For broader context on securing CI/CD tooling and understanding plugin-based attack vectors, check out our guide on supply chain vulnerabilities in DevOps.

FAQ

How do I know if my Jenkins environment ran the compromised plugin version? Check your Jenkins plugin manager for the installed version and build timestamps. Compare against the dates Checkmarx identifies as the compromise window. Any builds run during that window using the plugin should be considered suspect.

Should I disable the Checkmarx Jenkins AST Plugin immediately? If you cannot verify the integrity of your installed version, yes. Pause automated scanning via this plugin until Checkmarx issues a verified clean release with published checksums.

Does this affect Checkmarx cloud-hosted scanning products or only the Jenkins plugin? Based on available information, this attack targets the Jenkins plugin distribution specifically. Cloud-hosted Checkmarx services operate separately, but monitor Checkmarx's official security advisories for the full scope of the incident.

Run a security scan on your web application now at VibeWShield