PUBLISHED on 11 May 2026, the SOCRadar post reports that TeamPCP has backdoored the Checkmarx Jenkins plugin for AST scanning, following a prior breach of Checkmarx’s GitHub Actions and OpenVSX extensions. The attack involved two actions: defacing the official plugin repository on GitHub and backdooring the release at plugins.jenkins[.]io/releases, specifically version 2026.5.09, so any Jenkins instance pulling that version could receive a compromised plugin.
The backdoor carried a “Dune-themed” malware nicknamed Shai Hulud, with related repos bearing names such as kralizec-navigator-709 and tleilaxu-thumper-952. The piece notes that TeamPCP previously breached checkmarx/ast-github-action and checkmarx/kics-github-action in March 2026, exfiltrating CI runner secrets and pushing malicious OpenVSX extensions, suggesting a pattern of re-entry attempts and credential theft.
It advises Jenkins users to audit plugin versions, rotate secrets, search for Dune-themed repository names, review build logs for unusual outbound connections, and pin to verified versions to mitigate risk.