Checkmarx has confirmed that a modified version of its Jenkins AST plugin was published to the Jenkins Marketplace, marking another incident tied to an ongoing supply chain attack campaign attributed to the cybercrime group known as TeamPCP. The cybersecurity company stated that users should ensure they are running version 2.0.13-829.vc72453fa_1c16, which was published on December 17, 2025 or any earlier verified release, as newer versions are under review following the discovery. At the time of reporting, Checkmarx has also released version 2.0.13-848.v76e89de8a_053 on both GitHub and the Jenkins Marketplace, while noting that it is still in the process of publishing a fully verified update. The company has not disclosed how the compromised plugin version was introduced into the distribution channel, leaving questions around the point of intrusion within its development or release pipeline.
The incident is part of a broader pattern of attacks linked to TeamPCP, which has repeatedly targeted Checkmarx infrastructure over recent weeks. The group was previously attributed to a compromise involving the Checkmarx KICS Docker image, along with two Visual Studio Code extensions and a GitHub Actions workflow. Those earlier breaches were reportedly used to distribute credential stealing malware aimed at developer environments. The same campaign was also connected to the temporary compromise of the Bitwarden CLI npm package, which was manipulated to deliver a similar information stealing payload capable of extracting a wide range of developer secrets. Security researchers have described the campaign as a coordinated effort focused on exploiting trust within software development ecosystems, particularly targeting widely used DevSecOps tools and pipelines.
Further investigation shared by security researcher Adnan Khan alongside insights from SOCRadar indicates that TeamPCP may have gained unauthorized access to the Jenkins AST plugin GitHub repository itself. Reports suggest that the attackers renamed the repository to “Checkmarx-Fully-Hacked-by-TeamPCP-and-Their-Customers-Should-Cancel-Now,” signaling direct control over the codebase during the intrusion. The compromised repository was also modified with a message criticizing Checkmarx, stating “Checkmarx fails to rotate secrets again. with love – TeamPCP.” These actions indicate not only technical compromise but also intentional defacement designed to publicly highlight the breach and undermine confidence in the organization’s security posture.
SOCRadar assessed that the rapid return of TeamPCP into Checkmarx systems shortly after previous remediation efforts suggests potential gaps in incident response or lingering access pathways. The analysis highlighted two primary possibilities, either incomplete remediation during the earlier March response or failure to fully rotate compromised credentials, or that the threat actor maintained persistent access that was not detected during cleanup operations. The group is believed to be actively monitoring defensive responses and identifying re entry points to continue exploiting weaknesses in supply chain security. The repeated targeting of CI CD pipelines, developer tools, and plugin ecosystems demonstrates a sustained focus on high trust software distribution channels, raising ongoing concerns across the DevSecOps community regarding dependency integrity and repository security controls.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
