What Happened
The threat actor known as TeamPCP compromised the official Checkmarx Application Security Testing (AST) plugin on the Jenkins Marketplace, inserting a credential-stealing backdoor between May 9 at 01:25 UTC and May 10 at 08:47 UTC, 2026. The malicious version was assigned CVE-2026-33634 with a CVSS score of 9.4. Any CI/CD pipeline that pulled the plugin during this window and used it in an active build may have transmitted credentials, tokens, or secrets to attacker-controlled infrastructure.
This is TeamPCP’s second confirmed intrusion into Checkmarx in under two months. In late March, the group compromised Checkmarx’s KICS Docker image, two VS Code extensions, and a GitHub Actions workflow to push credential-stealing malware. Security researchers noted the group renamed Checkmarx’s GitHub repository to “Checkmarx-Fully-Hacked-by-TeamPCP-and-Their-Customers-Should-Cancel-Now” during the Jenkins attack — a deliberate provocation that signals ongoing access, not a one-time compromise. The return suggests initial remediation in March was incomplete, credentials were not fully rotated, or a persistent foothold was never identified.
Why This Matters for Canadian Organizations
Canadian software development teams, DevSecOps pipelines, and managed service providers using Checkmarx for application security testing are directly affected. The Checkmarx AST plugin is widely deployed in Jenkins-based CI/CD pipelines, including in financial services, healthcare, and federal government contractor environments where code security scanning is a compliance requirement.
The attack targets the security tooling layer itself — the tools organizations deploy to detect vulnerabilities in their own software. A backdoored security scanner has access to source code, build tokens, cloud credentials, container registry secrets, and API keys that flow through the pipeline during a scan. In a Canadian government contractor context, this represents direct exposure of sensitive build infrastructure. The supply chain attack pattern also raises questions under Bill C-26 obligations: if your software security tooling is itself compromised, how do you assess the integrity of applications you’ve already shipped?
The TeamPCP actor has now demonstrated repeated access to Checkmarx’s systems despite vendor-announced remediation. Organizations using Checkmarx products should treat all plugin versions and Docker images published between late March and May 10, 2026 as potentially suspect until Checkmarx provides a verified clean bill of health.
What to Do
Immediately audit Jenkins pipelines for the Checkmarx AST plugin version pulled between May 9 and May 10. If any build used an affected version, rotate all secrets, tokens, cloud credentials, and API keys visible to that pipeline. Verify you are running the confirmed clean plugin version documented in Checkmarx’s incident disclosure. Review Checkmarx’s KICS Docker image and VS Code extension versions against the March 2026 compromise timeline. Treat the full Checkmarx toolchain as requiring re-verification until Checkmarx publicly confirms integrity across all products. See the full reporting at The Hacker News and BleepingComputer.
