Checkmarx warned users Friday that hackers published a malicious version of its Jenkins AST plugin to the Jenkins Marketplace. The compromised plugin, which integrates Checkmarx One security scanning into Jenkins pipelines, was part of an ongoing supply chain attack that began in March.
The company urged users to update to version 2.0.13-829.vc72453fa_1c16 from December 2025, and released two newer versions over the weekend. The latest version, 2.0.13-848.v76e89de8a_053, is now available on GitHub and Jenkins Marketplace.
This incident stems from the Trivy supply chain attack, where TeamPCP hackers accessed Checkmarx repositories and published malicious artifacts. The Lapsus$ group later released stolen company data.
Source: Security Week