Summary

The article discusses a security breach involving the Checkmarx Jenkins AST plugin, which was compromised by TeamPCP. The breach follows a previous supply chain attack on KICS.

Key Points

• Checkmarx confirmed the compromise of the Jenkins AST plugin.
• A modified version of the plugin was published to the Jenkins Marketplace.
• Users are advised to use version 2.0.13-829.vc72453fa_1c16 or earlier, released on December 17, 2025.
• This incident follows a recent supply chain attack on KICS.

Analysis

The compromise of the Checkmarx Jenkins AST plugin by TeamPCP highlights the ongoing risks associated with supply chain attacks. Such breaches can have widespread implications for organizations relying on these tools for continuous integration and deployment processes. Ensuring the use of verified versions is crucial to maintaining security.

Conclusion

IT professionals should immediately verify the version of the Checkmarx Jenkins AST plugin in use and ensure it is version 2.0.13-829.vc72453fa_1c16 or earlier. Regularly monitoring for updates and security advisories from Checkmarx is recommended to mitigate potential risks.