Signal

Checkmarx Jenkins AST plugin compromised in supply chain attack by TeamPCP

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-05-11 04:11 UTCUpdated 2026-05-11 22:03 UTC

rss

cveexploitssupply_chain_attackincident_responsesecurity_tooling

Trend in the last 24h

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

No card needed for the free brief.

Evidence trail (top sources)

top sources (4 domains)

4 top sources shown

bleepingcomputer_all · News · bleepingcomputer.com · 2026-05-11 22:03 UTC

thehackernews · News · thehackernews.com · 2026-05-11 18:30 UTC

theregister_security · News · theregister.com · 2026-05-11 12:11 UTC

SecurityWeek · News · securityweek.com · 2026-05-11 09:34 UTC

Overview

Coverage discusses speculative scenarios for 2025; treat as market chatter and see linked sources.

Score total

1.6

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

The compromised plugin was published recently and remains available, increasing exposure risk.
Checkmarx is actively working to remove the malicious version and release a clean update.
This incident follows a recent supply chain attack on another Checkmarx product, indicating persistent targeting.

Why it matters

Supply chain attacks on widely used CI/CD tools can compromise many organizations simultaneously.
Malicious plugins can steal sensitive information and undermine software security processes.
Prompt detection and response are critical to limit damage and restore trust in security tooling.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: high

Recurring claims

A malicious version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace, compromising several hundred installations.
Checkmarx urges users to verify they are running the safe version 2.0.13-829.vc72453fa_1c16 published on December 17, 2025.

How sources frame it