# Supply Chain Under Fire as Malicious Jenkins Plugin Discovered *Monday, May 11, 2026 at 8:06 PM UTC — Hamer Intelligence Services Desk* **Published**: 2026-05-11T20:06:49.573Z (3h ago) **Category**: cyber | **Region**: Global **Importance**: 8/10 **Sources**: OSINT **Permalink**: https://hamerintel.com/data/articles/3538.md **Source**: https://hamerintel.com/summaries --- **Deck**: By 18:33 UTC on 11 May 2026, a compromised Checkmarx Jenkins AST plugin—allegedly altered after a breach of its GitHub repository—was found in the official Jenkins Marketplace. The incident, linked to the TeamPCP actor, extends a pattern of software supply-chain attacks affecting CI/CD, development tools, and security products. ## Key Takeaways - Around 18:33 UTC on 11 May 2026, a malicious version of the Checkmarx Jenkins AST plugin was identified in the official Jenkins Marketplace. - Attackers allegedly breached the plugin’s GitHub repository and injected malicious code before distribution to users. - The campaign is linked to the TeamPCP actor, previously associated with compromises of Docker images, VS Code extensions, GitHub Actions workflows, and npm packages. - The incident highlights systemic vulnerabilities in the software supply chain, especially around CI/CD and security tooling. - Organizations using the affected plugin face potential credential theft, code tampering, and lateral movement risks. By 18:33 UTC on 11 May 2026, security reporting confirmed that a malicious variant of the Checkmarx Jenkins AST plugin had been published to the Jenkins Marketplace, following an apparent breach of the plugin’s GitHub repository. The compromised plugin, used to integrate application security testing into Jenkins continuous integration (CI) pipelines, was distributed through an official channel, significantly increasing its reach and trust level. The operation is attributed to the threat actor TeamPCP, which has recently been implicated in a string of supply-chain compromises affecting multiple development and security tools, including Docker images, Visual Studio Code extensions, GitHub Actions workflows, and the Bitwarden CLI npm package. ### Background & Context Software supply-chain attacks have become a central concern for both industry and governments since high-profile incidents targeting widely used IT management and development platforms. CI/CD pipelines, which automate code building, testing, and deployment, are particularly attractive targets: compromise at this layer can give attackers covert access to proprietary source code, secrets, and production environments. The Checkmarx Jenkins AST plugin sits directly in this sensitive path, orchestrating code scans and interacting with source repositories, artifact stores, and issue trackers. A malicious modification could allow threat actors to exfiltrate source code, harvest credentials and tokens, insert backdoors into builds, or selectively sabotage security scanning. TeamPCP’s pattern of targeting developer and security tooling suggests a strategic focus on environments where compromise enables broad downstream access. By infiltrating tools used to secure software, attackers gain an opportunity to evade detection while embedding themselves deeper in the development lifecycle. ### Key Players Involved - **TeamPCP**: A sophisticated threat actor focusing on software supply-chain vectors and developer ecosystems. Their exact affiliations remain unclear, but their operations demonstrate advanced technical capability and planning. - **Jenkins ecosystem**: The Jenkins project, plugin maintainers, and the plugin marketplace, which collectively govern distribution and trust in CI/CD extensions. - **Checkmarx plugin users**: Enterprises and development teams integrating application security testing into Jenkins pipelines using the affected plugin; they may span sectors including finance, technology, government, and critical infrastructure. Security vendors and national cyber agencies will play important roles in incident disclosure, hunting for signs of compromise, and setting best-practice guidance. ### Why It Matters The compromise of a security testing plugin inside a widely deployed CI server has several critical implications: - **Trust erosion**: Developers and security teams rely on official marketplaces to vet extensions. Discovering malicious code in this channel undercuts confidence in automated tooling and update mechanisms. - **Blast radius**: A single malicious plugin can reach many organizations, including those with mature security programs. Each victim’s downstream customers and users may be indirectly affected. - **Stealth potential**: A tainted security plugin can theoretically manipulate scan results, hide injected vulnerabilities, and maintain persistent access. For organizations, the immediate concerns are whether the compromised plugin was installed, for how long it was active, and what data or systems it could have reached. Possible impacts include theft of source code and proprietary algorithms, compromise of CI credentials (including cloud and repository tokens), and silent insertion of backdoors into built artifacts. ### Regional and Global Implications Because Jenkins is used globally across industries, the victim set is likely worldwide. Governments have increasingly classified software supply-chain integrity as a matter of national security, especially when compromised tools intersect with critical infrastructure, defense, and public-sector IT. The incident may trigger regulatory and policy responses, including stronger requirements for software bill of materials (SBOM), tighter controls on plugin publishing, and audits of open-source dependencies. It is also likely to feature in ongoing discussions about liability for insecure software components and the need for standardized supply-chain security frameworks. From an intelligence perspective, repeated patterns in TeamPCP operations may help attribution efforts and inform defensive strategies. Their focus on interlinked tools (Docker, VS Code, GitHub Actions, npm, Jenkins) suggests a coherent campaign to establish footholds across the modern DevSecOps stack. ## Outlook & Way Forward In the immediate term, organizations must urgently identify whether they have installed the compromised Checkmarx Jenkins AST plugin and determine the timeframe of exposure. Recommended steps include: - Removing or replacing the affected plugin and verifying signatures and hashes against known-good versions. - Rotating credentials, tokens, and keys used within affected Jenkins environments and associated tools. - Conducting code-integrity reviews for artifacts built during the suspected compromise window, including binary diffing and additional security scans. The Jenkins project and plugin maintainers will likely move to enhance integrity checks on marketplace submissions, potentially including mandatory multi-party code signing, reproducible builds, and stricter repository access controls. Wider adoption of supply-chain security frameworks (such as SLSA-like models) may accelerate as enterprises seek to reduce this class of risk. Strategically, defenders should assume that CI/CD environments are high-value targets and treat them accordingly: limit internet exposure, segregate build environments, and monitor for anomalous plugin behavior, outbound connections, and configuration changes. As threat actors continue to innovate in supply-chain attacks, organizations that invest in layered defenses and rigorous provenance controls for their tooling will be better positioned to withstand the next wave of compromises.