{"id":877,"date":"2026-05-11T19:33:27","date_gmt":"2026-05-11T19:33:27","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=877"},"modified":"2026-05-11T19:33:27","modified_gmt":"2026-05-11T19:33:27","slug":"teampcp-compromises-checkmarx-jenkins-ast-plugin-weeks-after-kics-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=877","title":{"rendered":"TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>May 11, 2026<\/span><\/span>Supply Chain Attack \/ DevSecOps<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Checkmarx has confirmed that a modified version of the Jenkins AST plugin<\/a> was published to the Jenkins Marketplace.<\/p>\n

\u00abIf you are using Checkmarx Jenkins AST plugin, you need to ensure that you are using the version 2.0.13-829.vc72453fa_1c16 that was published on December 17, 2025 or previously,\u00bb the cybersecurity company said<\/a> in a statement over the weekend.<\/p>\n

As of writing, Checkmarx has released 2.0.13-848.v76e89de8a_053 on both GitHub and the Jenkins Marketplace, although its incident update still notes that it’s \u00abin the process of publishing a new version of this plugin.\u00bb It did not disclose how the malicious plugin version was published.<\/p>\n

The development is the latest attack orchestrated by TeamPCP targeting Checkmarx. It arrives a couple of weeks after the notorious cybercrime group was attributed to the compromise of its KICS Docker image, two VS Code extensions, and a GitHub Actions workflow to push credential-stealing malware.<\/p>\n

The breach, in turn, resulted in the brief compromise of the Bitwarden CLI npm package to serve a similar stealer that can harvest a wide range of developer secrets.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

TeamPCP has been linked to a series of breaches since March 2026 as part of a sprawling campaign that exploits the inherent trust in the software supply chain to propagate its malware and expand its reach.<\/p>\n

According to details shared by security researcher Adnan Khan<\/a> and SOCRadar<\/a>, TeamPCP is said to have gained unauthorized access to the plugin’s GitHub repository and renamed it to \u00abCheckmarx-Fully-Hacked-by-TeamPCP-and-Their-Customers-Should-Cancel-Now.\u00bb<\/p>\n

The defaced repository was also updated to include the description: \u00abCheckmarx fails to rotate secrets again. with love \u2013 TeamPCP.\u00bb<\/p>\n

\u00abThe fact that TeamPCP is back inside Checkmarx systems just weeks later points to one of two possibilities: either the initial remediation was incomplete and credentials were not fully rotated, or the group retained a foothold that wasn’t identified during the March response,\u00bb SOCRadar said.<\/p>\n

\u00abA second Checkmarx incident happening this soon suggests the group is actively watching for re-entry points, testing the depth of past remediations, and capitalizing on any gaps.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802May 11, 2026Supply Chain Attack \/ DevSecOps Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace. \u00abIf you are using…<\/p>\n","protected":false},"author":1,"featured_media":878,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1604,220,219,857,173,1603,1363,1258,218,855,1605],"class_list":["post-877","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-ast","tag-attack","tag-chain","tag-checkmarx","tag-compromises","tag-jenkins","tag-kics","tag-plugin","tag-supply","tag-teampcp","tag-weeks"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/877","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=877"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/877\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/878"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}