Official Jenkins Security Tool Compromised With Hidden Data Stealer
By 813 Staff
Tech industry sources confirm Official Jenkins Security Tool Compromised With Hidden Data Stealer, according to BleepingComputer (@BleepinComputer) (in the last 24 hours).
Source: https://x.com/BleepinComputer/status/2053959165387678136
Two days ago, an internal security alert went out at CheckMarx that was supposed to stay internal. Now we know why. On May 11, BleepingComputer reported that the official Jenkins plugin for CheckMarx — the static application security testing tool relied upon by thousands of enterprise DevSecOps pipelines — was compromised with an information-stealing malware payload. The timing is not coincidental. This disclosure lands just as security teams are finalizing their patch cycles for Jenkins instances, many of which run CheckMarx plugins by default in regulated environments.
According to BleepingComputer’s reporting, an unknown threat actor gained access to the plugin’s distribution channel on the Jenkins Update Center. Internal documents circulating among CheckMarx’s incident response team confirm that the malicious version, which surfaced as update 7.0.0, contained a compiled infostealer designed to exfiltrate credentials, API tokens, and environment variables stored in the Jenkins workspace. Engineers close to the project say the tainted artifact was available for download for approximately 48 hours before CheckMarx and the Jenkins security team yanked it offline. The rollout has been anything but smooth; multiple enterprise customers who auto-update their plugins may have been running the compromised code since early last weekend.
What matters here is the supply chain vector. This is not a theoretical vulnerability — it is a live, weaponized plugin inside a CI/CD tool that has root access to build pipelines. Anyone who runs Jenkins behind a VPN with the CheckMarx plugin auto-updating should treat their credentials as burned. The infostealer, which early reverse engineering suggests is a variant of the RedLine stealer family, targets browser-stored passwords and Git SSH keys. It does not appear to have propagated laterally, but that is unconfirmed.
As of this morning, CheckMarx has released an updated, signed version 7.0.1 and posted a forensic advisory on their security blog. Jenkins maintainers have pushed a revoke for the compromised plugin’s signing key. What remains unclear is whether the attacker exploited a compromised maintainer account or a CI pipeline weakness at CheckMarx itself. The company has not yet published a root cause analysis, and until they do, every organization using this plugin must assume the worst — that their pipeline secrets are now in the open.
Source: https://x.com/BleepinComputer/status/2053959165387678136
