TeamPCP Hacks Checkmarx Jenkins Plugin: Supply Chain Attack Alert

Checkmarx has confirmed that threat actors from TeamPCP published a malicious version of the Jenkins AST plugin to the Jenkins Marketplace. The compromised version, 2.0.13-829.vc72453fa_1c16, was published on December 17, 2025, and organizations using Checkmarx Jenkins AST plugin must verify they have upgraded to the patched version 2.0.13-848.v76e89de8a_053. The cybersecurity company stated that the remediation process is still ongoing, though the latest version has been released on both GitHub and Jenkins Marketplace. The company has not disclosed how the malicious plugin version was originally published to the marketplace. Security teams should immediately audit their CI/CD pipelines and verify plugin integrity using tools like our SSL/TLS checker to ensure secure connections throughout their development infrastructure.

The attack represents TeamPCP's second major compromise of Checkmarx systems within weeks. In March 2026, the threat group was attributed to breaching Checkmarx's KICS Docker image, two VS Code extensions, and a GitHub Actions workflow to push credential-stealing malware. This initial breach subsequently resulted in the brief compromise of the Bitwarden CLI npm package, which served a similar stealer capable of harvesting developer secrets across compromised environments. Security researchers Adnan Khan and SOCRadar documented that TeamPCP gained unauthorized access to the plugin's GitHub repository, renaming it to "Checkmarx-Fully-Hacked-by-TeamPCP-and-Their-Customers-Should-Cancel-Now" and updating the description to mock Checkmarx's security practices. Organizations can use our port scanner to identify exposed entry points that threat actors might exploit for initial access.

SOCRadar's analysis suggests two possible explanations for the rapid follow-up attack: either Checkmarx's initial remediation was incomplete with credentials left unrotated, or TeamPCP maintained a persistent foothold that wasn't detected during the March incident response. "A second Checkmarx incident happening this soon suggests the group is actively watching for re-entry points, testing the depth of past remediations, and capitalizing on any gaps," SOCRadar noted. This pattern demonstrates the sophisticated tradecraft of TeamPCP, which has been linked to a sprawling campaign since March 2026 exploiting inherent trust in software supply chains. Development teams should conduct thorough credential rotations and use our password checker to ensure no compromised credentials remain active in their systems. The recurring nature of these attacks underscores the critical importance of continuous monitoring and comprehensive incident response in DevSecOps environments.