Checkmarx on Friday warned users that a malicious version of its Jenkins AST plugin was published as part of a supply chain attack.
The plugin enables users to integrate the functionality of the Checkmarx One platform into Jenkins pipelines, allowing them to scan source code using the Checkmarx AST platform.
“We are aware that a modified version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace. We are in the process of publishing a new version of this plugin,” Checkmarx said on Friday.
The company told users to ensure they are running version 2.0.13-829.vc72453fa_1c16 of the Jenkins AST plugin, which was published in December 2025.
Over the weekend, Checkmarx released two new versions of the plugin. The latest iteration, 2.0.13-848.v76e89de8a_053, is now available on both GitHub and the Jenkins Marketplace.
Checkmarx has not shared information on how the malicious plugin version was published, but the incident is part of the supply chain attack the security firm has been dealing with since March.
As a result of the Trivy supply chain attack, the TeamPCP hacker gang accessed Checkmarx’s repositories in late March and published malicious artifacts.
A month later, likely due to continuous or renewed attacker access, a new wave of malicious artifacts was published on behalf of Checkmarx.
Soon after, the infamous Lapsus$ extortion group publicly released data allegedly stolen from the company’s repositories.
The company confirmed at the time that the data was likely stolen from its GitHub repositories in late March, using credentials compromised through the Trivy supply chain attack.
Related: Vendor Says Daemon Tools Supply Chain Attack Contained
Related: AI Coding Agents Could Fuel Next Supply Chain Crisis
Related: Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
Related: 1,800 Hit in Mini Shai-Hulud Attack on SAP, Lightning, Intercom
