Checkmarx warned users that a modified version of its Jenkins AST plugin was published in the Jenkins Marketplace as part of an ongoing supply chain attack. The company advised users to verify they are running version 2.0.13-829.vc72453fa_1c16 while it released new plugin versions, including 2.0.13-848.v76e89de8a_053. #Checkmarx #JenkinsAST #Trivy #TeamPCP #Lapsus
Keypoints
- Checkmarx found a malicious version of its Jenkins AST plugin in the Jenkins Marketplace.
- The plugin integrates Checkmarx One into Jenkins pipelines for source code scanning.
- Users were told to confirm they are using version 2.0.13-829.vc72453fa_1c16.
- Checkmarx released new plugin versions, including 2.0.13-848.v76e89de8a_053, on GitHub and the Jenkins Marketplace.
- The incident is linked to a supply chain attack that began after the Trivy compromise and involved TeamPCP and Lapsus$.
Read More: https://www.securityweek.com/checkmarx-jenkins-ast-plugin-compromised-in-supply-chain-attack/