TeamPCP Hits Checkmarx Jenkins Plugin in New Supply Chain Attack

Emily Davis · 2026-05-11

The cybersecurity world is still reeling from the KICS supply chain breach, and now we have another incident to worry about. Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace. This isn't just a minor glitch — it's a deliberate attack by a group known as TeamPCP. If you're using the Checkmarx Jenkins AST plugin, you need to act fast. The company has stated that only version 2.0.13-829.vc72453fa_1c16, published on December 17, 2025, or earlier versions, are safe. Anything newer could be compromised. As of writing, Checkmarx has released a fix, but the damage may already be done. ### What Happened? TeamPCP managed to sneak a malicious version of the plugin into the official Jenkins Marketplace. This is a classic supply chain attack — the kind where attackers target the software supply chain to infect downstream users. Think of it like someone slipping a counterfeit product into a trusted store's inventory. You think you're buying the real deal, but it's actually rigged. - The malicious plugin was uploaded after December 17, 2025. - It mimics the legitimate Checkmarx AST plugin. - Users who installed the fake version may have exposed their systems. Checkmarx's statement over the weekend urged everyone to verify their plugin version immediately. The company is working with Jenkins to remove the bad actor's code, but you shouldn't wait for that to happen.  ### Why This Matters for Antidetect Browser Users You might be wondering: what does a Jenkins plugin have to do with antidetect browsers? Well, it's all about trust. If you're using antidetect browsers to manage multiple identities or protect your privacy, you rely on a chain of trusted software. A supply chain attack on a tool like Jenkins could ripple out to affect how developers build and deploy antidetect solutions. For example, if a developer's CI/CD pipeline gets compromised through a malicious plugin, the antidetect browser they're working on could end up with backdoors. That's a nightmare for anyone who values digital privacy. The best antidetect browser is only as good as the software that builds it. ### How to Protect Yourself Here's what you need to do right now: - Check your Jenkins plugin version. Go to the plugin manager and look for "Checkmarx AST Plugin." Ensure it's version 2.0.13-829.vc72453fa_1c16 or older. - If you have a newer version, uninstall it immediately. Then manually install the safe version from Checkmarx's official site. - Monitor your systems for unusual activity. Supply chain attacks often leave subtle traces. "If you are using Checkmarx Jenkins AST plugin, you need to ensure that you are using the version 2.0.13-829.vc72453fa_1c16 that was published on December 17, 2025 or previously," the cybersecurity company said in a statement over the weekend. ### The Bigger Picture This attack comes just weeks after the KICS supply chain breach, which shook the security community. It's a pattern: attackers are getting smarter about infiltrating trusted distribution channels. For professionals using antidetect browsers, this is a wake-up call. You can't just trust the source — you need to verify every piece of software you touch. Think about it like this: you wouldn't buy a used car without checking its history. The same logic applies to software plugins. Always check version numbers, release dates, and signatures. It takes an extra minute but could save you from a world of hurt. ### Final Thoughts The TeamPCP attack on Checkmarx's Jenkins plugin is a reminder that no software is immune. Whether you're a developer or a privacy-conscious user, staying vigilant is key. The best antidetect browser can't protect you if the tools you rely on are compromised. So, update your plugins, verify your versions, and keep your eyes open. And remember: the safe version is 2.0.13-829.vc72453fa_1c16. Anything else is a risk you don't need to take.