By rssfeeds-admin In a massive escalation of an ongoing campaign, the notorious threat group TeamPCP has successfully hijacked the official Checkmarx Jenkins AST Plugin.
This malicious infiltration directly follows a cascading breach that originally started with the compromised Trivy security scanner in March 2026.
By actively exploiting trusted security scanners, hackers have turned defensive development pipelines into highly effective weaponized attack vectors.
Organizations globally are now scrambling to secure their continuous integration and continuous deployment (CI/CD) environments.
Meanwhile, Checkmarx is actively working alongside elite digital forensic specialists to permanently contain the unauthorized access and prevent further catastrophic credential theft.
TeamPCP Targets Jenkins Plugin
The unfolding cybersecurity crisis began on March 19, 2026, when financially motivated cybercriminals from TeamPCP poisoned the Aqua Security Trivy scanner.
The attackers cleverly utilized this initial software supply chain breach to harvest valuable CI/CD secrets and cloud credentials from thousands of downstream enterprise users.
Armed with these stolen system credentials, the hackers bypassed traditional security perimeters. They gained unauthorized access to Checkmarx’s own GitHub repositories on March 23.
Once inside, they ruthlessly pushed malicious code into public deployment artifacts, heavily infecting tools like the KICS DockerHub image and multiple Visual Studio Code extensions.
To make matters worse, sensitive data exfiltrated from Checkmarx during this initial breach window was subsequently published on the dark web by the infamous LAPSUS$ data extortion group on April 25.
Despite aggressive forensic investigations, extensive credential rotations, and active containment efforts throughout April, the threat actors’ dangerous persistence became evident once again on May 9, 2026.
A rogue software update, dangerously labeled as version 2026.5.09, was secretly uploaded directly to the official Jenkins Marketplace.
The Checkmarx Jenkins AST plugin is an incredibly popular development tool that integrates Checkmarx One source code scanning directly into automated Jenkins deployment pipelines.
Checkmarx immediately issued a critical security alert, warning its global user base that the rogue update was specifically designed to harvest environmental variables and network secrets silently.
Indicators of Compromise
Security researchers have identified several critical pieces of evidence related to this dangerous supply-chain infection.
Security operations centers must urgently scan their local and cloud environments, remove the offending files, and actively block the following malicious network domains.
| Artifact Type | File / Target Name | Version | SHA-256 Hash / IP Address |
|---|---|---|---|
| Jenkins Plugin | checkmarx-ast-scanner-2026.5.09.hpi | 2026.5.09 | 01ff1e56fd59a8fa525d97e670f7f297a1a204331b89b2cd4e36a9abc6419203 |
| Java Archive | checkmarx-ast-scanner-2026.5.09.jar | 2026.5.09 | f50a96d26a5b0beb29de4127e82b2bf350c21511e5a43d286e43f798dc6cd53f |
| Maven POM | checkmarx-ast-scanner-2026.5.09.pom | 2026.5.09 | 3ddb8967919a801b3c383e58cddceab21138134c6a26560d99e2672e86f36f2a |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post TeamPCP Targets Checkmarx Jenkins Plugin After KICS Breach appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.