Full Report
Cybercrooks ruin engineers' weekends with Saturday attack
Analysis Summary
# Incident Report: TeamPCP Supply Chain Compromise of Checkmarx Jenkins Plugin
## Executive Summary
Over the weekend of May 9, 2026, the threat actor group "TeamPCP" successfully compromised Checkmarx's Jenkins Marketplace presence to distribute a malicious version of the AST Scanner plugin. This incident represents the third successful breach of Checkmarx by the same actor in three months, involving the deployment of "Mini Shai-Hulud" malware. The attack compromised the integrity of CI/CD pipelines for several hundred organizations, potentially exposing source code and secrets.
## Incident Details
- **Discovery Date:** Saturday, May 9, 2026
- **Incident Date:** Saturday, May 9, 2026
- **Affected Organization:** Checkmarx
- **Sector:** Cybersecurity / Software Development Tools
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 9, 2026 (Approximate)
- **Vector:** Likely compromised developer credentials or failure to rotate CI/CD secrets/tokens from previous breaches.
- **Details:** Attackers gained unauthorized access to Checkmarx’s Jenkins Marketplace publishing account.
### Lateral Movement
- **Details:** The actors utilized access to Checkmarx’s plugin infrastructure to modify the official AST Scanner plugin. They also defaced Checkmarx’s GitHub presence, renaming the plugin page to "Checkmarx-Fully-Hacked-by-TeamPCP..."
### Data Exfiltration/Impact
- **Details:** Deployment of a "backdoored" version of the plugin intended to harvest environment variables, tokens, and source code from any Jenkins controller that installed or updated the plugin.
### Detection & Response
- **Discovery:** Initially spotted by security engineer Adnan Khan; subsequently confirmed by Checkmarx.
- **Response Actions:** Checkmarx issued a public advisory on Saturday; started the process of publishing a clean version (v2.0.13-829.vc72453fa_1c16) and initiated pull requests to remove the malicious code on Monday morning.
## Attack Methodology
- **Initial Access:** Valid accounts/Secret exploitation (Likely leaked tokens).
- **Persistence:** Suspected secondary persistence mechanism or unrotated secrets from March/April intrusions.
- **Defense Evasion:** Leveraging trusted supply chain infrastructure (Jenkins Marketplace).
- **Credential Access:** The malware (Shai-Hulud) is designed to steal environment variables and CI/CD tokens.
- **Lateral Movement:** Supply chain propagation (wormable nature).
- **Impact:** Unauthorized code execution within customer build environments.
## Impact Assessment
- **Financial:** Not disclosed, but involves significant remediation labor and potential customer churn.
- **Data Breach:** Exposure of Checkmarx's internal secrets and potentially the secrets/source code of "several hundred" customers.
- **Operational:** Disruption to CI/CD pipelines; engineers required to work through the weekend for emergency patching.
- **Reputational:** High. This is the third successful breach by the same actor in three months, suggesting systemic failures in incident recovery.
## Indicators of Compromise
- **File indicators:** Malicious Checkmarx AST Scanner plugin versions published on or after May 9, 2026.
- **Behavioral indicators:** Unauthorized renaming of GitHub repositories; "Dune" themed descriptions ("Shai-Hulud").
- **Known Clean Version:** 2.0.13-829.vc72453fa_1c16 (Dated Dec 17, 2025).
## Response Actions
- **Containment:** Flagged malicious versions on Jenkins Marketplace; alerted customers via official statement.
- **Eradication:** Removal of defaced GitHub descriptions and malicious packages.
- **Recovery:** Publishing a verified clean version of the AST Scanner plugin to override the malicious update.
## Lessons Learned
- **Key Takeaway:** Incident response is incomplete if the "root cause" (leaked secrets) is not fully remediated. TeamPCP mocked the organization for failing to rotate secrets after the previous month's attack.
- **Failure Point:** Trusting that a single cleanup effort removed all persistence; attackers likely maintained a "dormant" foothold or used unexpired tokens.
## Recommendations
- **Rotate All Secrets:** Perform a global reset of all CI/CD tokens, API keys, and publishing credentials.
- **Implement MFA:** Ensure all marketplace and repository publishing accounts require hardware-based Multi-Factor Authentication.
- **Sub-Resource Integrity:** Encourage customers to use pinned versions or checksum verification for all 3rd party plugins.
- **Audit Persistence:** Conduct a deep forensic audit of all developer environments to identify hidden backdoors that survived the March and April incidents.