Checkmarx engineers spent the weekend scrambling to purge a malicious build of the company's Jenkins AST Scanner plugin after intruders linked to TeamPCP pushed an unauthorized upload to the Jenkins Marketplace. The compromise, disclosed on Saturday, May 9, 2026, marks the second confirmed TeamPCP intrusion targeting the application security vendor this year and rides directly through infrastructure that customers install specifically to harden their CI pipelines.

What Happened

On Saturday, May 9, 2026, Checkmarx notified customers that a modified version of its Jenkins AST Scanner plugin had been published to the Jenkins Marketplace without authorization. The plugin, which performs security scans inside Jenkins continuous integration pipelines, is deployed by several hundred controllers worldwide. Checkmarx confirmed the tampered release should not be trusted and instructed users to verify they are running the legitimate version, 2.0.13-829.vc72453fa_1c16, published December 17, 2025.

Security engineer Adnan Khan flagged the compromise within hours of the upload. At the time of disclosure, the malicious release remained live on the Marketplace as the most recent available version, although pull requests filed Monday morning indicated imminent removal. Checkmarx said it was in the process of publishing a clean replacement.

TeamPCP, the same crew behind an earlier April 2026 supply chain intrusion against Checkmarx, also defaced the vendor's GitHub. The attackers renamed the AST plugin's repository page to "Checkmarx-Fully-Hacked-by-TeamPCP-and-Their-Customers-Should-Cancel-Now" and modified the description to allege Checkmarx had failed to rotate its credentials following the previous breach. Six packages were briefly published under the Checkmarx GitHub org, each carrying descriptions referencing the Shai-Hulud wormable malware family.

What Was Taken

The immediate impact is not data exfiltration from Checkmarx itself but downstream exposure across every customer pipeline that pulled the trojanized plugin. Because the AST Scanner executes inside Jenkins build runners, a backdoored version inherits access to:

The malicious build reportedly carries Mini Shai-Hulud payloads, the same component family seen injected into compromised SAP npm packages during earlier stages of the TeamPCP campaign. Total reach across the plugin's installed base has not been publicly enumerated, but with several hundred controllers and an unknown number of downstream builds per controller, the blast radius is substantial.

Why It Matters

The Checkmarx incident hits the trust model security tooling depends on. As SOCRadar noted, the Jenkins AST plugin is installed specifically to make pipelines safer, so a backdoored release does not just compromise one project, it rides trusted infrastructure into every build it touches. Defenders that allowlisted the plugin's publisher have effectively allowlisted the attacker.

This is also the second TeamPCP intrusion against Checkmarx in roughly a month, following the April compromise. The defacement messaging accusing Checkmarx of failing to rotate secrets suggests credentials or tokens harvested in the earlier breach were reused to authenticate the malicious Marketplace upload, a pattern consistent with incomplete remediation after the initial event. For other vendors watching, the lesson is that supply chain attackers do not move on after one round, they re-enter through whatever was not rotated.

The Attack Technique

TeamPCP's method follows the playbook now well-established across the Shai-Hulud lineage: compromise a maintainer or publisher account, push a payload-laden release through legitimate distribution channels, and ride the trust relationship into downstream environments. The injected component appears to be a Mini Shai-Hulud variant, the trimmed-down propagation module deployed in earlier SAP npm package compromises during the broader TeamPCP campaign.

The original Shai-Hulud surfaced in September 2025 across hundreds of npm packages. Shai-Hulud 2.0 followed in November, sweeping more than 25,000 GitHub repositories. The Mini Shai-Hulud variant now embedded in the Checkmarx Jenkins plugin is purpose-built for credential and secret harvesting from CI runners, with self-propagation aimed at reachable repositories and registries.

Initial access to Checkmarx publishing infrastructure was almost certainly through residual access from the April intrusion, where credentials or session material were not fully rotated, an inference TeamPCP themselves amplified through their defacement text.

What Organizations Should Do

  1. Audit Jenkins controllers immediately for Checkmarx AST Scanner plugin versions published on or after May 9, 2026. Confirm the installed build is 2.0.13-829.vc72453fa_1c16 from December 17, 2025, or a Checkmarx-issued clean replacement.
  2. Treat any controller that ran the malicious version as compromised. Rotate all secrets reachable from the affected Jenkins runner, including source control tokens, cloud credentials, registry keys, signing keys, and webhook secrets.
  3. Review CI build logs and outbound network telemetry from affected runners for the May 9 to May 11 window. Look for unexpected connections to GitHub, npm, or unfamiliar exfiltration endpoints, and for Mini Shai-Hulud indicators published by responders.
  4. Pin plugin versions in Jenkins rather than auto-updating from the Marketplace. Require manual review and checksum verification for any security-tooling plugin upgrade.
  5. Enforce hardware-backed MFA and short-lived publishing credentials on all Marketplace, npm, and package registry accounts. Assume any credential not rotated since April 2026 is potentially in attacker possession.
  6. Segment CI runner secrets so that a single compromised build cannot access production deployment credentials or signing material. Apply just-in-time secret issuance instead of long-lived environment variables.

Sources: Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotaged