Full Report
Previously, the attackers gained access to internal resources, and used it to extract sensitive credentials, including publishing credentials for Jenkins plugins. Using this access, they modified and redistributed the Checkmarx AST Scanner Jenkins Plugin via the official plugi...
Analysis Summary
# Incident Report: Compromise of Checkmarx Jenkins AST Plugin
## Executive Summary
A supply chain attack targeted the Checkmarx AST Scanner Jenkins Plugin after attackers, identified as TeamPCP, gained access to internal resources and sensitive publishing credentials. The adversaries modified the official plugin to include a backdoor designed to exfiltrate credentials from Jenkins environments. The incident highlights the critical risk of credential exposure and the impact of hijacked software distribution channels.
## Incident Details
- **Discovery Date:** May 2026
- **Incident Date:** Circa May 9, 2026
- **Affected Organization:** Checkmarx (Plugin Developer) and Jenkins users
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Preceding May 9, 2026
- **Vector:** Breach of internal resources/Credential theft
- **Details:** Attackers gained access to internal systems to extract sensitive credentials, including those used for publishing Jenkins plugins.
### Lateral Movement
- The attackers leveraged internal access to manipulate GitHub repositories and the Jenkins plugin distribution infrastructure.
### Data Exfiltration/Impact
- **Malicious Update:** The official Checkmarx AST Scanner Jenkins Plugin was modified with a backdoored `cli.js` file.
- **Credential Theft:** The backdoored plugin was designed to exfiltrate credentials from Jenkins environments where it was installed.
- **Source Control:** Attackers briefly controlled and renamed an associated GitHub repository, exposing sensitive data.
### Detection & Response
- **How it was discovered:** Public reporting and security research (e.g., Adnan Khan).
- **Response actions taken:** Revocation of compromised Personal Access Tokens (PATs) and remediation of the official plugin distribution channel.
## Attack Methodology
- **Initial Access:** Valid credential abuse following an internal resource compromise.
- **Persistence:** Maintaining control over publishing tokens and GitHub repository access.
- **Defense Evasion:** Using the official, trusted distribution channel to bypass standard security filters.
- **Credential Access:** Extraction of sensitive credentials from the build environment and via the backdoored `cli.js`.
- **Exfiltration:** Automated exfiltration of Jenkins credentials to attacker-controlled infrastructure.
- **Impact:** Supply chain compromise and package hijacking.
## Impact Assessment
- **Financial:** Undisclosed; costs associated with incident response and remediation.
- **Data Breach:** Exposure of Jenkins environment credentials and sensitive data within GitHub repositories.
- **Operational:** Disruption of the plugin ecosystem and requirement for manual updates/remediation by users.
- **Reputational:** Massive impact on trust for both the plugin provider and Jenkins plugin distribution.
## Indicators of Compromise
- **File indicators:** Modified `cli.js` within the Checkmarx AST Scanner Jenkins Plugin.
- **Behavioral indicators:** Unauthorized commits to GitHub; unusual renaming of official repositories; unauthorized publishing of plugin updates.
- **Network indicators:** (Defanged) Exfiltration traffic to hxxps[://]x[.]com/adnanthekhan (Referenced research).
## Response Actions
- **Containment:** Revocation of the compromised Github Personal Access Token (PAT).
- **Eradication:** Removal of the malicious plugin version from the official distribution channel.
- **Recovery:** Restoration of official repository naming and publication of a clean version of the plugin.
## Lessons Learned
- **Credential Management:** Sensitive publishing credentials and PATs stored in accessible internal resources pose a catastrophic risk.
- **Supply Chain Security:** Distribution channels are high-value targets; trust in "official" updates should be verified through integrity checks.
- **Monitoring:** Lack of immediate detection of repository renaming suggests a need for better monitoring of administrative changes in VCS.
## Recommendations
- **Rotate Credentials:** Immediately rotate all Jenkins and GitHub credentials if the affected plugin version was installed.
- **Enable MFA:** Enforce Multi-Factor Authentication for all accounts with publishing or repository administrative rights.
- **Secret Scanning:** Implement automated secret scanning to prevent the inclusion of PATs in commit history.
- **Integrity Validation:** Use cryptographic signing for plugins and binary artifacts to ensure users can verify the source of the update.