Checkmarx says a threat actor tracked as TeamPCP compromised internal and open-source assets, including the Checkmarx One Jenkins plugin release process. The incident led to a rogue Checkmarx AST Scanner Jenkins plugin version, 2026.5.09, being published outside the official release pipeline [1][2]. For teams that use Jenkins to scan source code, this is a supply-chain issue with direct CI/CD exposure: the plugin can sit where source archives, build variables, scanner tokens, and deployment secrets pass through the pipeline.
Jenkins now lists a security warning for the Checkmarx AST Scanner plugin, and the Jenkins update-center pull request states that version 2026.5.09 was not officially released by Checkmarx and contained malicious code [2][3]. The detail that matters operationally is version drift. A Jenkins controller may look healthy while one job, plugin cache, backup image, or offline mirror still contains the rogue package.
What Jenkins Teams Should Check
The first check is the installed plugin version and its origin. Confirm the Checkmarx AST Scanner plugin version from Jenkins, compare it with the current Jenkins plugin page, and review plugin installation history, update-center cache, and any internal artifact mirror that may have pulled 2026.5.09. If the rogue version was installed, treat the controller as exposed, not merely outdated.
The second check is blast radius. Jenkins jobs often hold scanner tokens, SCM credentials, package registry tokens, cloud keys, and deployment secrets. Rotate secrets that were available to affected jobs, review recent builds for unexpected outbound connections or modified pipeline steps, and inspect whether source archives or workspace data were accessed outside normal build behavior. A credential rotation done before removing the malicious plugin or cleaning the controller can simply hand fresh secrets to the same compromised path.
This incident fits the same developer-trust pattern Gridinsoft recently covered in malicious PyPI packages, fake AI repository malware, and the later Mini Shai-Hulud npm supply-chain wave: attackers do not need every endpoint when they can poison a trusted developer workflow. The useful response is specific inventory, not panic. List Jenkins controllers, plugin versions, plugin cache locations, internal mirrors, affected jobs, and secrets reachable by those jobs; then rotate only after the compromised component is removed and the controller is trusted again.
References
- Checkmarx: ongoing security updates, May 2026. Update
- Jenkins plugin page: Checkmarx AST Scanner security warning, May 2026. Plugin
- Jenkins update-center pull request removing rogue version, May 10, 2026. PR
Related supply-chain case: The later node-ipc npm compromise shows why CI and developer secrets need rotation after malicious package execution, even when the entry point is not a Jenkins plugin.
