TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack

Checkmarx confirmed that attackers compromised its Jenkins AST plugin and published a malicious version to the official Jenkins Marketplace. The threat actor TeamPCP modified the plugin, distributing a backdoored version that organizations may have installed directly from the trusted repository.

Checkmarx instructed users to verify they run version 2.0.13-829.vc72453fa_1c16 published on December 17, 2025 or earlier. Any version released after that date should be considered compromised. The attack represents a second supply chain incident targeting Checkmarx infrastructure in recent weeks, following the earlier compromise of the KICS container image scanning tool.

The Jenkins plugin serves as a bridge between Jenkins CI/CD pipelines and Checkmarx's application security testing platform. Developers rely on this integration to scan code for vulnerabilities during continuous integration workflows. A backdoored version deployed through the official marketplace poses severe risk. Attackers gain execution within the build pipeline environment, potentially allowing them to inject malicious code into software builds, steal credentials, or establish persistence across development infrastructure.

Organizations running Jenkins with the Checkmarx AST plugin should immediately audit their installations. Check plugin version numbers and review build logs for suspicious activity dating from late December 2025. Any compromised version could have executed arbitrary commands on Jenkins agents, accessed environment variables containing API keys or credentials, or modified source code before compilation.

The timing of this incident raises operational security questions about Checkmarx's security posture. The KICS compromise occurred weeks prior, suggesting either related access or a pattern of weakened controls. DevSecOps teams should treat this as a critical incident requiring forensic investigation and potentially full credential rotation for any systems touched by Jenkins.

Checkmarx has not detailed the specific malicious functionality of the backdoored plugin. Organizations cannot assume their builds remain clean without thor