Full Report
Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace. "If you are using Checkmarx Jenkins AST plugin, you need to ensure that you are using the version 2.0.13-829.vc72453fa_1c16 that was published on December 17, 2025 or previously," the cybersecurity company said in a statement over the weekend. As of writing, Checkmarx has released
Analysis Summary
# Incident Report: Compromised Checkmarx Jenkins AST Plugin
## Executive Summary
A modified, unauthorized version of the Checkmarx Jenkins AST (Application Security Testing) plugin was successfully published to the official Jenkins Marketplace. The supply chain attack targeted organizations using the plugin for automated security scanning within their CI/CD pipelines. Checkmarx has urged users to revert to or maintain a specific verified version to mitigate the risk of malicious code execution.
## Incident Details
- **Discovery Date:** Pre-December 20, 2025 (Based on weekend statement)
- **Incident Date:** December 17, 2025 (Publication of the last known good version)
- **Affected Organization:** Checkmarx (Plugin Developer) and Jenkins Marketplace Users
- **Sector:** Technology / Software Development Support
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Post-December 17, 2025
- **Vector:** Supply Chain Compromise / Marketplace Account Takeover
- **Details:** Attackers successfully published a malicious or "modified" version of the plugin directly to the official Jenkins plugin repository.
### Lateral Movement
- **Details:** Information regarding movement within Checkmarx's internal systems is currently undisclosed; however, the plugin serves as a vector for lateral movement into Jenkins build environments (CI/CD servers) of down-stream customers.
### Data Exfiltration/Impact
- **Details:** Modified plugins in a CI/CD environment typically aim to steal secrets (API keys, credentials), exfiltrate source code, or inject backdoors into the software being built.
### Detection & Response
- **How it was discovered:** Internal audit or community report (Specific detection method not disclosed in snippet).
- **Response actions taken:** Checkmarx issued a public advisory and identified the last known secure version (2.0.13-829.vc72453fa_1c16).
## Attack Methodology
- **Initial Access:** Supply Chain Injection (Authorized Marketplace publication).
- **Persistence:** Malicious code embedded within a trusted plugin used in automated build processes.
- **Privilege Escalation:** Likely targeting Jenkins "System" or "Admin" permissions.
- **Defense Evasion:** Use of legitimate marketplace infrastructure to bypass traditional signature or source-of-origin checks.
- **Credential Access:** Likely targeted Jenkins credentials, environment variables, and Checkmarx API keys.
- **Impact:** Potential remote code execution (RCE) on CI/CD infrastructure.
## Impact Assessment
- **Financial:** N/A (Undisclosed).
- **Data Breach:** Risk of source code theft and credential exposure for all users of the modified plugin.
- **Operational:** Disruption to secure software development lifecycles (SDLC) as teams must audit and roll back plugins.
- **Reputational:** High impact to Checkmarx, as a security-focused vendor's own tool was compromised.
## Indicators of Compromise
- **File indicators:** Versions of Checkmarx Jenkins AST plugin published *after* December 17, 2025.
- **Safe Version:** 2.0.13-829.vc72453fa_1c16 (Dated 2025-12-17).
- **Behavioral indicators:** Unusual outbound network traffic from Jenkins nodes; unauthorized access to source code repositories.
## Response Actions
- **Containment measures:** Identification of compromised versions and public notification.
- **Eradication steps:** Users instructed to downgrade to the last known-good version.
- **Recovery actions:** Validation of plugin integrity and audit of builds conducted during the window of compromise.
## Lessons Learned
- **Marketplace Trust:** Even plugins from reputable security vendors on official marketplaces can be compromised.
- **Version Pinning:** The importance of pinning plugin versions rather than allowing automatic "latest" updates in CI/CD pipelines.
- **Code Signing:** Need for more rigorous signing and verification of plugin binaries by both vendors and marketplace providers.
## Recommendations
- **Pin Versions:** Explicitly define plugin versions in Jenkins configuration (Configuration as Code).
- **Audit Logs:** Monitor Jenkins logs for unexpected plugin updates or unauthorized administrative actions.
- **Least Privilege:** Ensure Jenkins service accounts have the minimum necessary access to source code and deployment environments.
- **Integrity Checks:** Implement checksum or hash verification for third-party tools used in the build process.