โŒ

Normal view

Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotaged

11 May 2026 at 14:11
Checkmarxโ€™s software engineers are still working to remove a malicious version of the code security outfit's Jenkins plugin after detecting an unauthorized upload over the weekend. It updated customers on Saturday, May 9, after discovering a version of its AST Scanner, which is used for security scans in Jenkins CI pipelines, was made available via the Jenkins Marketplace. โ€œWe are aware that a modified version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace,โ€ it said in a statement. โ€œWe are in the process of publishing a new version of this plug-in.โ€ Versions published as of May 9, 2026, should not be trusted, it added, before urging all users to check theyโ€™re running the correct release (2.0.13-829.vc72453fa_1c16) published on December 17, 2025. Installed by several hundred controllers, the plugin remains available at the time of writing, and appears as the most recently available version, although pull requests actioned on Monday morning suggest this will soon be pulled down. โ€œWhat makes this particularly dangerous for Jenkins users is the trust model at play,โ€ said SOCRadar in its coverage. โ€œThe Checkmarx Jenkins plugin is a tool people install specifically to improve the security of their pipelines. โ€œA backdoored version doesnโ€™t just compromise one project; it rides trusted infrastructure into every build pipeline it touches, with access to source code, environment variables, tokens, and whatever secrets the runner can see.โ€ Security engineer Adnan Khan spotted the compromise quickly over the weekend. The crew behind the early supply chain attack affecting Checkmarx in April, TeamPCP, defaced the companyโ€™s GitHub and published six packages, each with a description alluding to the Shai-Hulud wormable malware. These packages no longer appear on Checkmarxโ€™s GitHub, but TeamPCP made multiple changes to the AST plugins page, renaming it to โ€œCheckmarx-Fully-Hacked-by-TeamPCP-and-Their-Customers-Should-Cancel-Now,โ€ and altering the description to claim CheckMarx failed to rotate its secrets. The latest infiltration of Checkmarxโ€™s internals marks the third time TeamPCP has compromised the companyโ€™s packages in as many months. As previously seen in The Register, the crooks successfully targeted Checkmarxโ€™s AST plugin for GitHub Actions and its KICS static analysis tool back in March, deploying credential-stealing malware. SOCRadar said the latest TeamPCP compromise of the Jenkins plugin suggests that either TeamPCP was telling the truth about Checkmarxโ€™s secrets rotation, or its members took advantage of an additional persistence mechanism that the security vendor failed to notice during its response to the March intrusion. ยฎ

Initial Access Operations Part 2: Offensive DevOps

By: BHIS
29 February 2024 at 15:00

The Challenge As stated in PART 1 of this blog, the Windows endpoint defense technology stack in a mature organization represents a challenge for Red Teamer initial access operations. For [โ€ฆ]

The post Initial Access Operations Part 2: Offensive DevOps appeared first on Black Hills Information Security, Inc..

โŒ