Checkmarx discovered a compromised version of its Jenkins Application Security Testing plugin distributed through the official Jenkins Marketplace. The rogue package contained an infostealer payload designed to exfiltrate sensitive data from infected systems.
The malicious plugin mimicked the legitimate Checkmarx AST tool, which developers use to scan code for security vulnerabilities during the build pipeline. Attackers uploaded the trojanized version to the public Jenkins plugin repository, where it remained available for download before Checkmarx identified the threat.
The infostealer component targets credentials and environment variables stored in Jenkins environments. This data includes API tokens, authentication keys, and cloud provider credentials that developers and CI/CD systems use. Attackers leverage stolen credentials to access downstream systems, repositories, and cloud infrastructure without detection.
Jenkins operators who installed the compromised plugin during the window of exposure face immediate risk. The infostealer runs with the permissions of the Jenkins process, granting it broad access to stored secrets and configuration data. Organizations using Jenkins for CI/CD pipelines hold particularly sensitive credentials, making this supply chain compromise valuable to threat actors.
Checkmarx responded by removing the malicious plugin from the marketplace and releasing an alert to Jenkins administrators. The company recommended immediate removal of any suspicious AST plugin versions and verification of installed plugin signatures.
This incident reflects a growing pattern of supply chain attacks targeting CI/CD infrastructure. Threat actors recognize that compromising build tools provides persistent access to source code, credentials, and deployment pipelines. Previous incidents have targeted similar developer tools, including npm packages and GitHub Actions.
Organizations should audit their Jenkins installations for the malicious AST plugin version immediately. Administrators must rotate any credentials stored within Jenkins environments and review build logs for suspicious activity. Implementing plugin signature verification and restricting plugin sources to trusted repositories reduces exposure to similar attacks. Jenkins users should prioritize updating the Checkmarx AST