Checkmarx Jenkins AST Plugin Vulnerability Exposed in Sneaky Supply Chain Hack
Supply Chain Attack Compromises Jenkins AST Plugin
On Friday, Checkmarx issued a warning about a malicious version of its Jenkins AST plugin being published as part of a supply chain attack.
What is the Jenkins AST Plugin?
The plugin allows users to integrate the functionality of the Checkmarx One platform into Jenkins pipelines, enabling them to scan source code using the Checkmarx AST platform.
Users Advised to Update to Latest Version
Compromised Plugin Linked to Previous Supply Chain Attack
The compromised plugin is linked to the Trivy supply chain attack, which occurred in March. During this incident, the TeamPCP hacker group gained access to Checkmarx’s repositories and published malicious artifacts. A second wave of malicious artifacts was subsequently published, followed by the public release of data allegedly stolen from the company’s repositories.
Importance of Ensuring Up-to-Date Plugins and Software Components
As a result of this incident, Checkmarx has stressed the importance of ensuring the use of up-to-date plugins and software components within their ecosystems. This highlights the ongoing need for vigilance in identifying and addressing potential vulnerabilities in supply chains.
Related Incidents:
- The vendor stated that the Daemon Tools supply chain attack contained malware.
- The potential impact of AI coding agents on future supply chain crises.
- A vulnerability in the Gemini CLI that could have led to code execution and supply chain attacks.
- A breach affecting 1,800 companies through the Mini Shai-Hulud attack on SAP, Lightning, and Intercom.
About Author
English