Checkmarx Jenkins Plugin Hit by Supply Chain Attack

Hackers exploit Jenkins AST plugin in Checkmarx supply chain attack; users urged to update to secure versions from December 2025.

By Content Team

May 11, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Checkmarx warned users Friday that hackers published a malicious version of its Jenkins AST plugin to the Jenkins Marketplace. The compromised plugin, which integrates Checkmarx One security scanning into Jenkins pipelines, was part of an ongoing supply chain attack that began in March.

The company urged users to update to version 2.0.13-829.vc72453fa_1c16 from December 2025, and released two newer versions over the weekend. The latest version, 2.0.13-848.v76e89de8a_053, is now available on GitHub and Jenkins Marketplace.

This incident stems from the Trivy supply chain attack, where TeamPCP hackers accessed Checkmarx repositories and published malicious artifacts. The Lapsus$ group later released stolen company data.

Source: Security Week

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Iranian Hackers Target US Medical Giant in Cyber Retaliation

Mar 16, 2026

AI Recruiting Firm Mercor Hit by Major Supply Chain Attack

Apr 2, 2026

New WebRTC Skimmer Bypasses Security to Steal Credit Card Data

Mar 26, 2026

Chained Vulnerabilities Let Attackers Backdoor Industrial Control Systems Running CODESYS

Apr 27, 2026