Overview
- Checkmarx said a malicious version of its Jenkins Application Security Testing plugin was posted to the Jenkins Marketplace and it released clean replacements, including version 2.0.13-848.
- The company urged users to stick to the known-good December 2025 release 2.0.13-829 or later clean builds, and it has not explained how the rogue version was published.
- The plugin lets teams run Checkmarx code scans inside Jenkins, a common tool for automating software builds and releases, which makes a tainted release a path to steal developer credentials.
- Researchers link this incident to TeamPCP, which used access from a Trivy-related breach to push backdoored KICS Docker images, VS Code extensions, and a GitHub Action that briefly tainted Bitwarden’s CLI package.
- Adnan Khan and SOCRadar reported the plugin repository was defaced and warned the repeat activity points to incomplete credential rotation or a lingering foothold, while Checkmarx shared indicators of compromise and said its GitHub code is separate from customer production.