Cybersecurity May 12, 2026 · 3 min read

Checkmarx’s Jenkins Security Plugin Was Backdoored Using Credentials Checkmarx Failed to Rotate — The Hackers Even Left a Thank-You Note

🤚 The Open-Palm Incident Report

The TeamPCP hacking group has successfully backdoored the official Checkmarx Jenkins Application Security Testing (AST) plugin, turning one of the most widely-used security scanning tools in enterprise CI/CD pipelines into a credential-stealing operation. The malicious version — 2026.5.09 — was uploaded to the Jenkins Marketplace on May 9, and Checkmarx issued a public warning two days later on May 11.

The attackers left a note, because apparently even cybercriminals have a communications department now: “Checkmarx fails to rotate secrets again. With love — TeamPCP.”

With love. With love.

👐 The Two-Handed Breach Genealogy

Here’s where it gets architecturally beautiful in the worst possible way. TeamPCP gained access to Checkmarx’s GitHub repositories using credentials stolen during the March 2026 Trivy vulnerability scanner breach. Let that sink in: a vulnerability scanner was breached, and the stolen credentials were then used to compromise a security testing tool. It’s a supply chain attack on the supply chain security supply chain.

The compromised plugin contained infostealer code designed to harvest credentials from every Jenkins instance that installed the update. Jenkins — for the uninitiated — is one of the most widely deployed CI/CD automation platforms in existence, responsible for building, testing, and deploying software across thousands of organizations. It is, in effect, the plumbing of modern software development. And someone just poisoned the water supply.

The rogue version lacked several telltale signs of legitimacy:

  • No corresponding git tag or GitHub release
  • A version naming convention that deviated from the standard format
  • The last legitimate version was 2.0.13-829.vc72453fa_1c16 from December 2025 — a version number that looks like someone fell asleep on a keyboard, but at least it was authentically generated by someone falling asleep on a keyboard

Offensive security engineer Adnan Khan identified and reported the compromise, after which Checkmarx confirmed the incident and advised all affected users to “assume that their credentials are compromised, rotate all secrets, and investigate for lateral movement or persistence.”

🌿 The Gentle Awakening

There is a particular flavor of irony reserved for security companies that get breached using credentials they failed to rotate. It’s the cybersecurity equivalent of a locksmith leaving their front door open, except the locksmith also left a note saying “I know, I know” and the burglars left a note saying “we told you last time.”

Because this is not TeamPCP’s first interaction with Checkmarx. The March Trivy breach was the opening act. The credentials stolen in that breach were the ones used here. Which means that somewhere between March and May, someone at Checkmarx had two months to rotate the secrets that TeamPCP had already demonstrated they possessed, and that rotation simply did not happen.

The attackers’ note — “Checkmarx fails to rotate secrets again” — suggests this is a pattern, not an incident. And when your attacker has to remind you to follow basic security hygiene, you have crossed a threshold from “breach victim” to “recurring character in someone else’s security awareness training.”

👑 The Gold-Leaf CI/CD Catastrophe

The implications here extend far beyond Checkmarx. Every organization running Jenkins with the AST plugin now faces the prospect that their security scanning tool was the attack vector — that the thing they installed to find vulnerabilities was itself the vulnerability. The calls are coming from inside the security audit.

Supply chain attacks on developer tools have become the prestige crime of modern hacking. Why spend months finding a zero-day in a target’s application when you can compromise the tools they use to build that application? The blast radius is exponentially larger, the access is deeper, and the trust assumptions are stronger. Nobody questions an update from their security vendor. That’s the entire point of having a security vendor.

The recommended remediation — reimage systems, rotate all secrets, investigate for lateral movement — is corporate-speak for “assume the worst and start over.” For organizations with complex CI/CD pipelines, that’s not a weekend project. That’s a quarter.

“The security tool was compromised by credentials stolen from a different security tool, which were never rotated despite the first security tool publicly announcing the breach. We have achieved security ouroboros.” — The Slap of Wisdom DevSecOps Bureau, currently auditing the tool they use to audit their tools