Checkmarx Jenkins AST Plugin Compromised with Infostealer – May 2026
Impact Assessment Rationale
The compromise of an official plugin on a widely used marketplace (Jenkins) has significant potential reach across enterprise DevOps environments globally, with risk of credential theft, data exfiltration, and downstream pipeline compromise. However, the full scope of affected organisations is not yet confirmed.
View assessment methodology →Loading map...
Geographic Zone Matches
1 active match
- TRIA Certified AreasRule-basedConfidence 100%
Geographic zone matches are RiskEvents spatial/analytical indicators, not coverage determinations or Lloyd's official classifications.
Summary
Checkmarx issued a warning over the weekend of 11 May 2026 that a rogue, malicious version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. The compromised package contained infostealer malware designed to exfiltrate sensitive data from developer and CI/CD environments. The incident represents a software supply chain attack targeting users of the widely used Jenkins continuous integration platform. Checkmarx advised affected users to remove the rogue plugin immediately.
This summary is AI-generated from linked source reports and may change as more information becomes available. See our correction policy for how to report errors.
Structured Intelligence
known
- A rogue version of the Checkmarx Jenkins AST plugin was published on the Jenkins Marketplace.
- The malicious package contained infostealer malware.
- Checkmarx issued a public warning over the weekend of 11 May 2026.
- The incident was reported by BleepingComputer on 11 May 2026.
reported
- The rogue plugin was available for download via the official Jenkins Marketplace, increasing the potential victim count.
- The attack appears designed to target developer pipelines and CI/CD environments.
uncertain
- The identity or attribution of the threat actor behind the compromise is not confirmed.
- The number of organisations or individuals who downloaded and executed the malicious plugin is unknown.
- Whether state-sponsored actors were involved has not been confirmed.
- The duration for which the malicious package was available before detection is unclear.
Affected Countries
Key Entities
Sources
Trade Media
- BleepingComputer12 May 2026, 05:55
Timeline
Status changed to monitoring
Auto-transitioned: no updates for 6 hours
Lifecycle changed
active → monitoring
Status changed to active
remediation: existing authoritative signal
Lifecycle changed
signal → active
Initial Detection
Checkmarx issued a warning over the weekend of 11 May 2026 that a rogue, malicious version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. The compromised package contained infostealer malware designed to exfiltrate sensitive data from developer and CI/CD environments. The incident represents a software supply chain attack targeting users of the widely used Jenkins continuous integration platform. Checkmarx advised affected users to remove the rogue plugin immediately.
Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace.
Source: BleepingComputer (Trade Media) · View source