Checkmarx Jenkins Plugin Compromised with Infostealer

Checkmarx has confirmed that a malicious version of its Jenkins Application Security Testing (AST) plugin was briefly distributed on the Jenkins Marketplace. BleepingComputer reports that the rogue package, active for less than 24 hours, contained an infostealer. While the plugin has since been removed and a clean version restored, any organization that downloaded or updated the Checkmarx AST plugin during the compromise window should assume exposure.

This incident highlights the pervasive risk within software supply chains, even for security vendors themselves. An attacker successfully injected malicious code into a widely used development tool plugin, a prime target for credential harvesting given its access to CI/CD pipelines and potentially source code repositories. The attacker’s calculus is clear: compromise a trusted component to gain access to sensitive developer environments and ultimately, intellectual property or production systems.

For defenders, this is a stark reminder that even tools designed to enhance security can become vectors for attack. The brief window of compromise means detection might be challenging without robust supply chain security monitoring. It’s not just about patching — it’s about validating the integrity of every component in your build pipeline, especially those with elevated privileges.