Checkmarx has confirmed {that a} modified model of the Jenkins AST plugin was printed to the Jenkins Market.
“If you’re utilizing Checkmarx Jenkins AST plugin, it is advisable to guarantee that you’re utilizing the model 2.0.13-829.vc72453fa_1c16 that was printed on December 17, 2025 or beforehand,” the cybersecurity firm mentioned in an announcement over the weekend.
As of writing, Checkmarx has launched 2.0.13-848.v76e89de8a_053 on each GitHub and the Jenkins Market, though its incident replace nonetheless notes that it is “within the means of publishing a brand new model of this plugin.” It didn’t disclose how the malicious plugin model was printed.
The event is the newest assault orchestrated by TeamPCP concentrating on Checkmarx. It arrives a few weeks after the infamous cybercrime group was attributed to the compromise of its KICS Docker picture, two VS Code extensions, and a GitHub Actions workflow to push credential-stealing malware.
The breach, in flip, resulted within the temporary compromise of the Bitwarden CLI npm package deal to serve the same stealer that may harvest a variety of developer secrets and techniques.
TeamPCP has been linked to a collection of breaches since March 2026 as a part of a sprawling marketing campaign that exploits the inherent belief within the software program provide chain to propagate its malware and increase its attain.
In keeping with particulars shared by safety researcher Adnan Khan and SOCRadar, TeamPCP is alleged to have gained unauthorized entry to the plugin’s GitHub repository and renamed it to “Checkmarx-Absolutely-Hacked-by-TeamPCP-and-Their-Clients-Ought to-Cancel-Now.”
The defaced repository was additionally up to date to incorporate the outline: “Checkmarx fails to rotate secrets and techniques once more. with love – TeamPCP.”
“The truth that TeamPCP is again inside Checkmarx techniques simply weeks later factors to one among two potentialities: both the preliminary remediation was incomplete and credentials weren’t absolutely rotated, or the group retained a foothold that wasn’t recognized through the March response,” SOCRadar mentioned.
“A second Checkmarx incident taking place this quickly suggests the group is actively looking ahead to re-entry factors, testing the depth of previous remediations, and capitalizing on any gaps.”
