TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack
May 11, 2026
Supply Chain Attack / DevSecOps
Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace. "If you are using Checkmarx Jenkins AST plugin, you need to ensure that you are using the version 2.0.13-829.vc72453fa_1c16 that was published on December 17, 2025 or previously," the cybersecurity company said in a statement over the weekend. As of writing, Checkmarx has released 2.0.13-848.v76e89de8a_053 on both GitHub and the Jenkins Marketplace. A spokesperson for the company said the new version addresses the concerns associated with the incident. It's assessed that the malicious code was published after obtaining credentials from a previous supply chain attack that took place in March 2026. The development is the latest attack orchestrated by TeamPCP targeting Checkmarx. It arrives a couple of weeks after the notorious cybercrime group was attributed to the compromise of its KICS Docker image, two VS Code extensions, and a GitHub Actions workflo...
