TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack
Summary
Checkmarx has confirmed that a compromised version of their Jenkins AST plugin was uploaded to the Jenkins Marketplace. The company advises users to update to version 2.0.13-829.vc72453fa_1c16, released on December 17, 2025, or an earlier version.
IFF Assessment
FOE
This compromise of a widely used development tool could allow attackers to inject malicious code or exfiltrate sensitive information from CI/CD pipelines.
Defender Context
This incident highlights the ongoing risk of supply chain attacks targeting developer tools. Defenders should pay close attention to software provenance and ensure strict version control and timely patching of critical development infrastructure components like Jenkins plugins.