TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2026/05/teampcp-compromises-checkmarx-jenkins.html

ONE SENTENCE SUMMARY:

Checkmarx confirmed a tampered Jenkins AST plugin publication, linked to TeamPCP, highlighting repeated supply-chain compromises and likely incomplete remediation.

MAIN POINTS:

1. Checkmarx acknowledged a modified Jenkins AST plugin appeared in the Jenkins Marketplace.
2. Users were told to keep versions 2.0.13-829.vc72453fa_1c16 or earlier.
3. Checkmarx released version 2.0.13-848.v76e89de8a_053 on GitHub and Marketplace.
4. Incident updates still suggested a new plugin version was being published.
5. The company did not explain how the malicious version reached the Marketplace.
6. TeamPCP was identified as the attacker targeting Checkmarx again.
7. Earlier compromises included KICS Docker image, VS Code extensions, and GitHub Actions workflow.
8. Bitwarden CLI npm package was briefly compromised to distribute credential-stealing malware.
9. Researchers reported unauthorized access to the plugin’s GitHub repo and defacement/renaming.
10. SOCRadar inferred unrotated credentials or an undetected foothold enabled rapid re-entry.

TAKEAWAYS:

1. Verify Jenkins plugin versions immediately and rollback if beyond the known-safe build.
2. Supply-chain trust is being exploited to distribute credential stealers through developer tooling.
3. Secret rotation and credential hygiene appear central to preventing repeated intrusions.
4. Monitor code repositories for defacement, renames, and unauthorized administrative actions.
5. Treat rapid repeat incidents as evidence of incomplete remediation or persistent access.