Likelihood: HIGH
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because the malicious plugin was published to an official, trusted marketplace under a legitimate vendor identity, making silent installation highly probable for any organization running automated plugin updates or following Checkmarx's official channel — active exploitation status is unknown but the delivery mechanism was fully operational. Impact is very high because a successful install places every CI/CD secret, cloud access key, and code-signing credential in scope for exfiltration, enabling downstream software supply-chain compromise of the affected organization's own products and production environments.
Treatment rationale: The attack vector is a trusted third-party plugin channel that cannot be avoided without abandoning the toolchain, and the potential for credential-driven lateral movement and software release integrity compromise creates consequences too severe to accept or transfer as a primary response — immediate containment, credential rotation, and pipeline audit are required.
Third-Party / Supply-Chain Risk
Checkmarx is a direct COTS vendor and critical dependency in the CI/CD toolchain (NIST SP 800-161 Tier 1 supplier). The compromised delivery channel — Checkmarx's own Jenkins Marketplace credentials — represents a systemic vendor governance failure: credentials from a prior Checkmarx breach were not rotated, enabling a threat actor to publish malicious artifacts under a trusted vendor identity across at least three separate artifacts (Jenkins AST Plugin, KICS, Trivy integration). Any organization treating Checkmarx plugins as implicitly trusted without independent integrity verification inherited Checkmarx's credential-security posture. Additional shared-platform risk exists for organizations using Docker, VSCode, or Open VSX distributions of affected Checkmarx tooling.
Loss Exposure (illustrative)
Magnitude: High — illustrative $500K–$5M per affected organization, scaling with the sensitivity of exfiltrated credentials and whether downstream software releases were compromised
Frequency: For any organization that installed v2026.5.09, this is a realized single-event exposure, not a frequency question; for the broader population of Jenkins/Checkmarx users, the event represents a low-frequency, high-consequence supply-chain strike estimated at fewer than one occurrence of this specific vector per organization per year
Annualized: Illustrative ALE framing: for an organization confirmed to have installed the malicious version, annualized framing is not the operative frame — the relevant figure is single-event loss magnitude of $500K–$5M driven by incident response, credential rotation, forensic investigation, potential customer notification, and downstream remediation if build artifacts were tampered with
Basis: Range derived from: (1) incident response and forensic cost for a mid-to-large engineering organization with a compromised CI/CD pipeline estimated at $200K–$800K; (2) credential-enabled cloud lateral movement and potential production access adding operational disruption and recovery cost of $100K–$1M; (3) if code-signing credentials were compromised and releases were tampered, customer notification, remediation distribution, and reputational consequence add $200K–$3M at the high end. No third-party report dollar figures were used; all components are independently derived from cost-category logic.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If pipeline secrets include credentials with access to customer data or PII, the resulting exposure may invoke state and federal breach-notification obligations — verify with counsel.
• Exfiltration of code-signing credentials or deployment tokens used to sign software distributed to customers may trigger software liability or product warranty clauses in customer contracts — verify with counsel.
• Credential theft enabling access to cloud environments or production systems may constitute a covered cyber event under existing cyber-insurance policies and could trigger notice obligations to the insurer within policy-defined windows — verify with broker.
• If the organization is subject to SOC 2, FedRAMP, PCI-DSS, or similar frameworks, a confirmed or suspected supply-chain compromise of the build pipeline may trigger mandatory incident disclosure to auditors or assessors — verify with counsel and compliance lead.
