A malicious version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace as part of a supply chain attack, SecurityWeek reports. According to Checkmarx, users should ensure they are running version 2.0.13-829.vc72453fa_1c16 of the Jenkins AST plugin, which was published in December 2025, with the firm publishing two new plugin versions over the weekend. The latest iteration, 2.0.13-848.v76e89de8a_053, is now available on both GitHub and the Jenkins Marketplace.
The incident is described as part of a broader supply chain campaign that Checkmarx has been dealing with since March, linked to attacks on its repositories. SecurityWeek notes that the Trivy supply chain attack enabled the TeamPCP hacker gang to access Checkmarx’s repositories in late March and publish malicious artifacts, followed by a further wave of artefacts and, later, data purportedly stolen by the Lapsus$ group.