Checkmarx Warns of Malicious Jenkins AST Plugin in Supply Chain Attack
Security teams using Jenkins for continuous integration (CI) pipelines are on high alert following a supply chain attack targeting the Checkmarx Jenkins AST plugin. Checkmarx has confirmed that a modified, unauthorized version of the plugin was published to the Jenkins Marketplace, potentially exposing users to significant security risks.
In a security update published on May 9, 2026, the company alerted its customers to the compromise and urged them to verify the version of the plugin currently running in their environments.
The Core Risk: Trust in the Pipeline
The Jenkins AST plugin is designed to integrate Checkmarx One platform functionality into Jenkins pipelines, allowing developers to scan source code for vulnerabilities automatically. Because this tool is installed specifically to enhance security, it occupies a highly privileged position within the DevOps lifecycle.
When a security plugin is compromised, the “trust model” of the entire pipeline is broken. A malicious plugin doesn’t just affect a single project; it can potentially access source code, environment variables and sensitive secrets that the runner can see, effectively turning a security tool into a backdoor.
Critical Action: Verify Your Plugin Version
Checkmarx has explicitly stated that any versions of the plugin published as of May 9, 2026, should not be trusted. To ensure your environment remains secure, you must verify that you’re running the legitimate release.
The only verified safe version is:
2.0.13-829.vc72453fa_1c16
This specific release was published on December 17, 2025, and remains the trusted version for users of the Checkmarx Jenkins AST plugin.
Key Takeaways for DevOps Teams
- Immediate Audit: Check your Jenkins Marketplace plugins and ensure the AST Scanner version matches the December 17, 2025, release.
- Avoid Recent Updates: Do not install or update to any versions of the plugin published around or after May 9, 2026, until official confirmation of a new patched release is provided.
- Rotate Secrets: If you discover a modified version of the plugin was installed, assume all environment variables and tokens accessible to that Jenkins runner have been compromised and rotate them immediately.
Frequently Asked Questions
How do I know if my plugin is compromised?
Compare your currently installed version number against the trusted release: 2.0.13-829.vc72453fa_1c16. If your version number differs and was installed recently, it may be the modified version.
What should I do if I installed the malicious version?
Immediately remove the plugin, revert to the trusted December 2025 version, and begin an incident response process to identify what data or secrets may have been accessed during the period of compromise.
Why is this considered a supply chain attack?
It’s a supply chain attack because the threat actor didn’t target the end-user directly. Instead, they compromised a trusted third-party distribution point—the Jenkins Marketplace—to deliver malicious code to all users who trusted the official Checkmarx plugin.
As supply chain attacks continue to target the very tools meant to secure the software lifecycle, the industry must move toward more rigorous verification methods, such as software bills of materials (SBOMs) and strict cryptographic signing of all pipeline artifacts.