TeamPCP Supply Chain Attack on Checkmarx Jenkins AST Plugin — Detection and Remediation Guide | Security Arsenal

A critical supply chain attack has emerged involving the Checkmarx Jenkins AST (Application Security Testing) plugin. The threat actor known as TeamPCP has successfully compromised and published a modified version of this plugin to the Jenkins Marketplace, creating a severe risk for organizations relying on this integration for DevSecOps pipelines.

This attack is particularly insidious because it targets a trusted component within the software delivery lifecycle—CI/CD infrastructure. When a security tool itself becomes the attack vector, defenders face a dual challenge: they must remediate the compromise while simultaneously questioning the integrity of their security scanning results. The attacker's access to the Jenkins plugin provides them with a potential foothold in build environments, where code signing secrets, credentials, and proprietary source code reside.

Checkmarx has confirmed that only versions prior to and including 2.0.13-829.vc72453fa_1c16 (published December 17, 2025) are safe. Any version installed after this date should be treated as compromised and immediately remediated. This incident follows TeamPCP's earlier compromise of the KICS (Keeping Infrastructure as Code Secure) scanner, indicating a sustained campaign against DevSecOps tooling.

Technical Analysis

Affected Product: Checkmarx Jenkins AST Plugin

Safe Version: 2.0.13-829.vc72453fa_1c16 (published December 17, 2025 or earlier)

Compromised Versions: Any version installed after December 17, 2025

Threat Actor: TeamPCP

Attack Vector: Supply Chain Compromise

Attack Chain Breakdown:

Initial Compromise: TeamPCP gained unauthorized access to the Checkmarx Jenkins plugin publishing credentials or infrastructure, allowing them to upload maliciously modified versions to the Jenkins Update Center.
Plugin Installation: Victims installed the compromised plugin via the Jenkins Plugin Manager, trusting the official Jenkins Marketplace as a trusted source. The modified plugin retains the legitimate functionality of the AST tool while embedding malicious code.
Execution: The malicious payload executes within the Jenkins JVM context. Since Jenkins typically runs with elevated privileges to access build tools and source repositories, the attacker gains significant capabilities.
Post-Exploitation: While specific TTPs (Tactics, Techniques, and Procedures) for this compromise are still being analyzed, supply chain attacks on CI/CD tools typically involve:
- Exfiltration of source code and credentials
- Injection of malicious code into the build pipeline
- Persistence mechanisms within Jenkins configuration
- Lateral movement to connected build agents and version control systems

Exploitation Status: Confirmed active exploitation in the wild. This is not theoretical—malicious versions have been published and are available for installation.

Impact Assessment:

CVSS Score: Estimated 8.8-9.0 (High) based on supply chain impact and potential for code integrity compromise
CISA KEV Status: Not yet cataloged at time of writing, but expected to be added given severity

Detection & Response

SIGMA Rules

YAML

---
title: Checkmarx Jenkins AST Plugin Compromised Version Installation
id: 8d2f4a1c-9e7b-4c3d-a1f5-6e8g9h0i1j2k
status: experimental
description: Detects installation of compromised Checkmarx Jenkins AST plugin versions after December 17, 2025
references:
 - https://thehackernews.com/2026/05/teampcp-compromises-checkmarx-jenkins.html
author: Security Arsenal
date: 2026/05/15
tags:
 - attack.initial_access
 - attack.supply_chain
 - attack.t1195.002
logsource:
 category: file_change
 product: windows
detection:
 selection:
  TargetFilename|contains: '\plugins\checkmarx-ast'
  TargetFilename|endswith: '.jpi'
 condition: selection
 timeframe: 7d
falsepositives:
 - Legitimate plugin updates prior to compromise
level: critical
---
title: Jenkins Process Spawning Shell with Checkmarx Plugin Context
id: 9e3g5b2d-0f8c-4a1e-b2g6-7f9h0i1j2k3l
status: experimental
description: Detects Jenkins (java.exe) spawning suspicious shell processes potentially related to compromised AST plugin
references:
 - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/05/15
tags:
 - attack.execution
 - attack.t1059
logsource:
 category: process_creation
 product: windows
detection:
 selection_parent:
  ParentImage|endswith: '\java.exe'
  ParentCommandLine|contains: 'jenkins'
 selection_child:
  Image|endswith:
   - '\cmd.exe'
   - '\powershell.exe'
   - '\bash.exe'
  CommandLine|contains:
   - 'download'
   - 'Invoke-WebRequest'
   - 'curl'
   - 'wget'
 condition: all of selection_*
falsepositives:
 - Legitimate build scripts executing shell commands
level: high
---
title: Jenkins Plugin Directory Modification - Suspicious Pattern
id: 0a4h6c3e-1g9d-5b2f-c3h7-0i1j2k3l4m5n
status: experimental
description: Detects modification of Jenkins plugin directory structures potentially indicating plugin tampering
references:
 - https://attack.mitre.org/techniques/T1565.001/
author: Security Arsenal
date: 2026/05/15
tags:
 - attack.defense_evasion
 - attack.t1565.001
logsource:
 category: file_change
 product: windows
detection:
 selection:
  TargetFilename|contains:
   - '\plugins\checkmarx'
   - '\plugins\ast'
  Operation|contains:
   - 'FileModified'
   - 'FileRenamed'
 filter:
  User|contains:
   - 'SYSTEM'
   - 'JENKINS_SERVICE'
 condition: selection and not filter
falsepositives:
 - Authorized plugin management activities
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for Checkmarx Jenkins AST plugin installation activity
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessVersionInfoOriginalFileName == "jenkins.war" or ProcessCommandLine contains "jenkins"
| where ProcessCommandLine contains "checkmarx" 
   or ProcessCommandLine contains "AST"
   or ProcessCommandLine contains "plugin"
| where ProcessCommandLine contains "install"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

// Check for suspicious network connections from Jenkins hosts
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName =~ "java.exe"
| where InitiatingProcessCommandLine contains "jenkins"
| where RemoteUrl contains "checkmarx" or RemotePort in (443, 8080, 80)
| summarize Count=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, RemoteUrl, RemoteIP
| where Count > 10  // High volume connections may indicate data exfil
| order by Count desc

// File system modifications in Jenkins plugins directory
DeviceFileEvents
| where Timestamp > ago(30d)
| where FolderPath contains @"\plugins\checkmarx" 
   or FolderPath contains @"\plugins\ast"
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, ActionType, FileName, SHA256
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor

-- Hunt for Checkmarx AST plugin versions in Jenkins directory
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='/*jenkins*/plugins/checkmarx*/**')
WHERE Mtime > timestamp("2025-12-17")

-- Check for running Jenkins processes with suspicious children
SELECT Parent.Pid AS ParentPid, Parent.Name AS ParentName, Parent.CommandLine AS ParentCommandLine,
       Child.Pid AS ChildPid, Child.Name AS ChildName, Child.CommandLine AS ChildCommandLine
FROM pslist()
LEFT JOIN pslist() AS Child ON Parent.Pid = Child.Ppid
WHERE Parent.Name =~ "java" AND Parent.CommandLine =~ "jenkins"
  AND Child.Name IN ("cmd.exe", "powershell.exe", "bash.exe", "sh")
  AND Child.CommandLine =~ "(download|curl|wget|Invoke-WebRequest|netcat|nc)"

-- Identify network connections from Jenkins processes
SELECT Pid, Name, CommandLine, RemoteAddr, RemotePort, State
FROM netstat()
WHERE Name =~ "java" AND CommandLine =~ "jenkins"
  AND RemotePort NOT IN (22, 80, 443, 8080, 50000)  // Non-standard Jenkins ports

Remediation Script (Bash for Linux Jenkins Servers)

Bash / Shell

#!/bin/bash

# Checkmarx Jenkins AST Plugin Remediation Script
# Usage: Run as root or Jenkins service user

JENKINS_HOME="/var/lib/jenkins"
PLUGIN_DIR="${JENKINS_HOME}/plugins"
SAFE_VERSION="2.0.13-829.vc72453fa_1c16"
LOG_FILE="/var/log/jenkins_plugin_remediation.log"

echo "[$(date)] Starting Checkmarx AST plugin remediation" >> "${LOG_FILE}"

# Backup current plugin state before remediation
BACKUP_DIR="/tmp/jenkins_plugin_backup_$(date +%Y%m%d_%H%M%S)"
mkdir -p "${BACKUP_DIR}"

echo "[$(date)] Creating backup of current plugin files" >> "${LOG_FILE}"
if [ -d "${PLUGIN_DIR}" ]; then
    find "${PLUGIN_DIR}" -name "checkmarx*.jpi" -o -name "checkmarx*.hpi" | while read plugin; do
        cp -p "${plugin}" "${BACKUP_DIR}/"
        echo "[$(date)] Backed up: ${plugin}" >> "${LOG_FILE}"
    done
fi

# Check installed Checkmarx AST plugin version
echo "[$(date)] Checking installed Checkmarx AST plugin version" >> "${LOG_FILE}"
INSTALLED_VERSION=$(find "${PLUGIN_DIR}" -name "checkmarx*.jpi" -o -name "checkmarx*.hpi" 2>/dev/null | head -1)

if [ -n "${INSTALLED_VERSION}" ]; then
    # Extract version from MANIFEST.MF if available
    PLUGIN_VERSION=$(unzip -p "${INSTALLED_VERSION}" META-INF/MANIFEST.MF 2>/dev/null | grep "Plugin-Version" | cut -d: -f2 | tr -d ' \r')
    echo "[$(date)] Found installed version: ${PLUGIN_VERSION}" >> "${LOG_FILE}"
    
    if [ "${PLUGIN_VERSION}" == "${SAFE_VERSION}" ] || [ -z "${PLUGIN_VERSION}" ]; then
        echo "[$(date)] Version ${PLUGIN_VERSION} appears safe or could not be determined. Manual verification required." >> "${LOG_FILE}"
    else
        echo "[!] ALERT: Potentially compromised version detected: ${PLUGIN_VERSION}" >> "${LOG_FILE}"
        echo "[!] Removing plugin file: ${INSTALLED_VERSION}" >> "${LOG_FILE}"
        rm -f "${INSTALLED_VERSION}"
    fi
else
    echo "[$(date)] No Checkmarx AST plugin found in plugin directory" >> "${LOG_FILE}"
fi

# Check for any additional suspicious files in Checkmarx plugin directory
echo "[$(date)] Scanning for suspicious artifacts" >> "${LOG_FILE}"
find "${PLUGIN_DIR}" -path "*checkmarx*" -type f \( -name "*.class" -o -name "*.jar" \) -newermt "2025-12-17" >> "${LOG_FILE}" 2>&1

# Restart Jenkins service to apply changes if plugin was removed
if [ -f "${INSTALLED_VERSION}" ] && [ "${PLUGIN_VERSION}" != "${SAFE_VERSION}" ]; then
    echo "[$(date)] Compromised plugin removed. Restarting Jenkins service." >> "${LOG_FILE}"
    systemctl restart jenkins
    echo "[$(date)] Jenkins restart initiated" >> "${LOG_FILE}"
fi

echo "[$(date)] Remediation script completed. Review log at: ${LOG_FILE}" >> "${LOG_FILE}"
echo "Backup location: ${BACKUP_DIR}"

Remediation

Immediate Actions Required

1. Verify Plugin Version Status

Access your Jenkins instance via the UI or CLI and navigate to Manage Jenkins → Plugin Manager → Installed. Locate the "Checkmarx AST" plugin and verify the installed version.

SAFE: Version 2.0.13-829.vc72453fa_1c16 or any version published before December 17, 2025
COMPROMISED: Any version installed after December 17, 2025

2. Uninstall Compromised Versions

If you have installed the Checkmarx AST plugin after December 17, 2025:

Navigate to Manage Jenkins → Plugin Manager
Find "Checkmarx AST" in the installed plugins list
Click Uninstall (do not simply disable)
Restart Jenkins to complete the removal

3. Credential Rotation

Treat this as a credential exposure incident:

Rotate all API keys and credentials stored in Jenkins that were accessible to build jobs using the Checkmarx plugin
Rotate Checkmarx platform credentials
Review Jenkins logs for evidence of unauthorized access or credential exfiltration
Rotate any Git/SCM credentials used in pipelines that executed the compromised plugin

4. Pipeline Integrity Verification

Since this plugin executes as part of the build pipeline:

Conduct a forensic review of all artifacts built while the compromised plugin was active
Review build logs for suspicious command execution or network connections
Consider re-building and re-deploying artifacts created during the compromise window

Official Vendor Guidance

Checkmarx has released a secure version of the plugin. Organizations should:

Monitor the official Jenkins Plugin Update Center for the verified safe release
Only re-install the plugin after confirming the version has been verified by Checkmarx
Follow Checkmarx's official security advisory for the latest updates

Official Advisory URL: Checkmarx Security Advisory (refer to Jenkins AST Plugin incident)

Long-Term Security Hardening

1. Implement Plugin Verification

Enable Jenkins plugin signature verification where supported
Maintain a software bill of materials (SBOM) for all Jenkins plugins
Implement change detection on the Jenkins plugins directory

2. Network Segmentation for CI/CD

Restrict outbound network access from Jenkins to only required endpoints
Implement egress filtering to prevent C2 communication
Monitor all Jenkins network traffic for anomalies

3. Principle of Least Privilege

Run Jenkins with minimal required permissions
Avoid running Jenkins as root or with excessive system access
Implement role-based access control for plugin management

4. DevSecOps Pipeline Controls

Implement pre-deployment verification of plugin hashes
Separate build and release pipeline stages
Require multi-person approval for infrastructure changes

CISA / Regulatory Deadlines

While no specific CISA KEV entry exists at time of writing, under CISA Binding Operational Directive (BOD) 22-01 and similar frameworks, vulnerabilities with active exploitation should be remediated within 15 days of notification. Given the supply chain nature and confirmed actor activity, treat this with the highest priority.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

TeamPCP Supply Chain Attack on Checkmarx Jenkins AST Plugin — Detection and Remediation Guide