Checkmarx has confirmed {that a} modified model of the Jenkins AST plugin was revealed to the Jenkins Market.
“If you’re utilizing Checkmarx Jenkins AST plugin, it’s essential to guarantee that you’re utilizing the model 2.0.13-829.vc72453fa_1c16 that was revealed on December 17, 2025 or beforehand,” the cybersecurity firm mentioned in an announcement over the weekend.
As of writing, Checkmarx has launched 2.0.13-848.v76e89de8a_053 on each GitHub and the Jenkins Market, though its incident replace nonetheless notes that it is “within the means of publishing a brand new model of this plugin.” It didn’t disclose how the malicious plugin model was revealed.
The event is the most recent assault orchestrated by TeamPCP concentrating on Checkmarx. It arrives a few weeks after the infamous cybercrime group was attributed to the compromise of its KICS Docker picture, two VS Code extensions, and a GitHub Actions workflow to push credential-stealing malware.
The breach, in flip, resulted within the transient compromise of the Bitwarden CLI npm bundle to serve the same stealer that may harvest a variety of developer secrets and techniques.
TeamPCP has been linked to a sequence of breaches since March 2026 as a part of a sprawling marketing campaign that exploits the inherent belief within the software program provide chain to propagate its malware and increase its attain.
In accordance with particulars shared by safety researcher Adnan Khan and SOCRadar, TeamPCP is claimed to have gained unauthorized entry to the plugin’s GitHub repository and renamed it to “Checkmarx-Absolutely-Hacked-by-TeamPCP-and-Their-Prospects-Ought to-Cancel-Now.”
The defaced repository was additionally up to date to incorporate the outline: “Checkmarx fails to rotate secrets and techniques once more. with love – TeamPCP.”
“The truth that TeamPCP is again inside Checkmarx methods simply weeks later factors to certainly one of two prospects: both the preliminary remediation was incomplete and credentials weren’t totally rotated, or the group retained a foothold that wasn’t recognized through the March response,” SOCRadar mentioned.
“A second Checkmarx incident taking place this quickly suggests the group is actively expecting re-entry factors, testing the depth of previous remediations, and capitalizing on any gaps.”
