GoKawiilCheckmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace.
The compromise was claimed by the TeamPCP hacker group, which initiated a spree of supply-chain attacks that included the Shai-Hulud campaigns on npm and the Trivy vulnerability scanner breach, resulting in the delivery of credential-stealing malware.
Jenkins is one of the most widely used Continuous Integration/Continuous Deployment (CI/CD) automation solutions for software building, testing, code scanning, application packaging, and deploying updates to servers.
The Checkmarx AST plugin on the Jenkins Marketplace integrates security scanning into automated pipelines.
“We are aware that a modified version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace. We are in the process of publishing a new version of this plug-in,” Checkmarx alerted in the update.
This is the third incident in a series of supply-chain attacks the application security testing firm has suffered since late March.
According to offensive security engineer Adnand Khan, TeamPCP gained access to Checkmarx's GitHub repositories and backdoored the Jenkins AST plugin to deliver credential-stealing malware.
A company spokesperson confirmed to BleepingComputer that the threat actor obtained credentials to the repositories from the Trivy supply-chain attack in March.
A message the hackers left in the about section reads: "Checkmarx fails to rotate secrets again. With love - TeamPCP."
TeamPCP had access to Checkmarx's GitHub repositories
... continue reading