Jenkins Checkmarx AST Scanner plugin backdoored (TeamPCP): trojanized JAR + runtime cli.js download from cx-plugins-releas staging repo

Version 2026.5.09 of the official Jenkins Checkmarx AST Scanner plugin was replaced with a malicious build on May 9, 2026. First reported by Adnan Khan and Berk Albayrak, the backdoored version fetches two additional artifacts into any Jenkins build that runs a Checkmarx scan step: a trojanized checkmarx-ast-scanner.jar bundled with the plugin, and an obfuscated cli.js downloaded at runtime from an attacker-controlled GitHub repository (github.com/cx-plugins-releas).

The attacker-controlled staging repository is labeled "mini Shai-Hulud" — explicit Dune campaign branding linking this to the TeamPCP cluster. The exfiltration endpoint is audit.checkmarx[.]cx/v1/telemetry with AES-256-GCM encrypted payloads — shared C2 infrastructure with the April 2026 Checkmarx KICS Docker and VS Code extension compromises. This is the same actor, expanding their foothold in the Checkmarx toolchain from developer IDEs to CI/CD pipeline scan steps.

Attack chain

The backdoor operates at scan execution time, not plugin install time:

1. Jenkins CI job runs a Checkmarx AST scan step using the compromised plugin version
2. Plugin fetches checkmarx-ast-scanner.jar — the bundled trojanized version replaces the expected artifact
3. Plugin downloads cli.js at runtime from raw.githubusercontent[.]com/cx-plugins-releas/... — the runtime download means the malicious payload is not present in the plugin tarball and will not be detected by static package analysis of the plugin itself
4. Payload harvests secrets from the CI runner environment: GitHub tokens, AWS credentials, Azure and Google Cloud credentials, npm publish tokens, SSH keys, environment variables, MCP configuration files
5. Encrypted payload exfiltrated to audit.checkmarx[.]cx/v1/telemetry

The runtime-download pattern is operationally deliberate: it separates the delivery mechanism (the plugin) from the payload (cli.js), allowing the payload to be updated without publishing a new plugin version. It also defeats static analysis of the plugin tarball.

Shared C2 infrastructure with KICS compromise

The audit.checkmarx[.]cx/v1/telemetry exfiltration endpoint is identical to the C2 used in the April 22, 2026 Checkmarx KICS Docker image and VS Code extension compromise. The shared endpoint confirms common operator infrastructure across both campaigns. The attacker has maintained and reused this infrastructure from April through May 2026 — suggesting either high operator confidence in its continued operational security, or that the infrastructure is rotated less frequently than in other TeamPCP campaigns.

Persistence drops

Two persistence mechanisms are noted:

• .claude/router_runtime.js — Claude Code configuration directory injection, consistent with the Mini Shai-Hulud pattern of targeting AI coding assistant configurations for hook persistence
• .vscode/tasks.json — VS Code auto-run task injection, enabling payload re-execution on next IDE session open

Both mechanisms survive npm uninstall or removal of the Jenkins plugin — the persistence is on the build agent's filesystem, not in the plugin itself.

Indicators of compromise

Affected plugin version: checkmarx-ast-scanner 2026.5.09

File hashes (SHA-256, reported by Albayrak):

• checkmarx-ast-scanner.jar: f50a96d26a5b0beb29de4127e82b2bf350c21511e5a43d286e43f798dc6cd53f
• cli.js: 08352b4c37808a25895cda1cae27ec8a83cf7ee9de15e2d4dd9560a2906730f4

Attacker staging repository: github.com/cx-plugins-releas (labeled "mini Shai-Hulud")

Exfiltration endpoint (defanged): audit.checkmarx[.]cx/v1/telemetry — AES-256-GCM encrypted, X-Vault-Token or Authorization: Bearer header

Persistence artifacts:

• .claude/router_runtime.js
• .vscode/tasks.json

Detection

• Check Jenkins plugin version. Navigate to Manage Jenkins → Manage Plugins → Installed. Version 2026.5.09 is the compromised build.
• Review build logs for jobs that invoked the Checkmarx AST Scanner step for unexpected downloads of checkmarx-ast-scanner.jar or cli.js.
• Search workspace and temp directories on Jenkins agents for files matching the JAR/JS SHA-256 hashes above.
• Audit DNS and proxy logs from Jenkins agents for connections to audit.checkmarx[.]cx or downloads from raw.githubusercontent.com/cx-plugins-releas.

SIEM query for the shared C2:

@http.url_details.host:audit.checkmarx.cx OR @dns.question.name:audit.checkmarx.cx

Remediation

• Disable or remove the plugin immediately. Do not execute build jobs with version 2026.5.09 installed. Wait for Checkmarx to publish a verified clean release.
• Rotate all secrets accessible to affected Jenkins agents: GitHub tokens, AWS credentials, Azure and Google Cloud credentials, npm publish tokens, SSH keys, Jenkins credential store values, MCP configuration material.
• Remove persistence artifacts (.claude/router_runtime.js, .vscode/tasks.json) from any agent filesystems where the plugin ran.
• Audit GitHub audit logs and Actions runs for the Shai-Hulud exfiltration pattern (unexpected repository creation, ${{ toJSON(secrets) }} workflow injection).
• Restrict Jenkins agent egress to approved endpoints. Block downloads from arbitrary GitHub raw content URLs as defense-in-depth.

Criminal-market signal

No dark-web presence for Jenkins Checkmarx AST Scanner payload tooling or audit.checkmarx.cx infrastructure has been observed. The TeamPCP operator-run pattern confirmed across the cluster applies. H2 (operator-run, no commodity market) is confirmed by the shared C2 infrastructure across multiple campaign phases.