Tampered Checkmarx Jenkins plugin pushed via supply-chain attack
TL;DR - A tampered checkmarx-ast-scanner Jenkins plugin was published as version 2026.5.09 and was available in the Jenkins Marketplace for roughly 31 hours. If any of your Jenkins controllers pulled that version, treat it as a CI trust-boundary breach. Checkmarx's known-good version is 2.0.13-829.vc72453fa_1c16.
What happened
checkmarx-ast-scanner is the Jenkins plugin that connects pipelines to Checkmarx One scanning - it packages source, calls the Checkmarx CLI, and runs inside your build control plane with the privileges that implies.
On 11 May 2026, SecurityWeek reported that Checkmarx had warned users a modified version of the plugin had been published to the Jenkins Marketplace as part of a supply-chain attack. Checkmarx published indicators of compromise alongside a precise availability window:
| Item | Value |
|---|---|
| Rogue version | 2026.5.09 |
| Window (UTC) | 2026-05-09 01:25:00 to 2026-05-10 08:47:00 |
| HPI SHA-256 | 01ff1e56fd59a8fa525d97e670f7f297a1a204331b89b2cd4e36a9abc6419203 |
| JAR SHA-256 | f50a96d26a5b0beb29de4127e82b2bf350c21511e5a43d286e43f798dc6cd53f |
Jenkins plugins run as privileged code inside your build control plane. A tampered pipeline plugin is not just a build-integrity problem. The realistic blast radius is secrets exfiltration and downstream supply-chain pivoting - the same pattern behind most serious CI compromises. For broader context on this attack class, see our supply-chain security research hub.
Who is impacted
- Jenkins controllers that installed or updated
checkmarx-ast-scannerto2026.5.09during the window above. - Environments with automatic plugin updates enabled from the Jenkins update centre or Marketplace, where a rogue publish can propagate silently and quickly.
- Any CI job where the plugin had access to high-value material: SCM credentials, artifact registry tokens, cloud access keys, signing keys, or deployment credentials.
One scope note worth flagging: the Jenkins plugin index lists the warning as affecting "version 2026.5.09 and earlier". Checkmarx's published IOCs are explicitly scoped to 2026.5.09 artefacts. Use the concrete hashes and the time window for incident scoping - treat the Jenkins index label as a broad caution, not a precise blast-radius definition.
What to do now
- Verify installed plugin versions across every Jenkins controller. You're looking for
checkmarx-ast-scannerat version2026.5.09. - Follow Checkmarx's version guidance:
"If you are using Checkmarx Jenkins AST Plugin, you need to ensure that you are using the version
2.0.13-829.vc72453fa_1c16that was published on Dec. 17, 2025 or previously." - Validate artefacts by hash if your plugin install path is indirect - via base images, config management, or infrastructure-as-code. Compare against the SHA-256 values above.
- If you confirm exposure to the rogue version, open an incident scoped to your CI trust boundary:
- review Jenkins controller and agent logs for unexpected plugin loads and anomalous network egress during the exposure window
- inventory every credential accessible to impacted jobs and rotate based on your IR policy and available evidence
- After containment, harden your Jenkins plugin supply-chain posture: pin to verified plugin catalogues, restrict update paths, and enforce least-privilege credential scoping. Our secure CI/CD guide covers the specifics.
Additional information
- Checkmarx incident update with IOCs and release hashes (dated 9 May 2026): checkmarx.com
- Jenkins plugin index warning label for
checkmarx-ast-scanner: plugins.jenkins.io
Related
Training
- Dependency and Supply Chain ManagementSBOMs, lock files, and surviving the next big supply chain attack.
- Artifact Signing and ProvenanceSigstore, SLSA, and proving your software is what you say it is.
- Infrastructure as CodeTerraform, Pulumi, CloudFormation - and the security foot-guns in declarative infra.