Any organization that installed the malicious plugin version may have had all secrets powering their software build and deployment processes exfiltrated — including cloud access keys, code signing credentials, and deployment tokens. An attacker holding those credentials can access production systems, inject code into software releases, or move laterally across cloud environments without triggering initial authentication alerts. Depending on what those pipelines touch, the regulatory exposure spans SOC 2 breach notification obligations, potential PCI-DSS scope if payment systems are in the deployment chain, and reputational risk if downstream software shipped to customers was built on a compromised pipeline.
You Are Affected If
You installed Checkmarx Jenkins AST Plugin v2026.5.09 on any Jenkins controller or agent between May 9, 2026 and discovery
You use the Jenkins Marketplace as a direct plugin source without an internally mirrored and scanned artifact proxy
Your Jenkins pipelines have access to cloud provider keys, container registry tokens, code signing credentials, or production deployment secrets
You also use Checkmarx KICS or Checkmarx Trivy integration and have not rotated associated credentials since the March 2026 Trivy compromise
You use VSCode or Open VSX extensions from the Checkmarx ecosystem that share the same credential chain as the compromised artifacts
Board Talking Points
A trusted security vendor's software update tool was weaponized to steal the keys that control our software build systems — this is not a theoretical risk, it is an active credential theft campaign.
We need to immediately confirm whether this plugin was installed in our environment, rotate all associated credentials, and suspend use of affected Checkmarx components until the vendor provides verified clean replacements.
Organizations that do not act within hours risk attackers using stolen pipeline credentials to access production systems or inject malicious code into software we ship to customers.
PCI-DSS — if compromised Jenkins pipelines deploy or have access to cardholder data environments, stolen credentials may constitute unauthorized access to in-scope systems requiring breach assessment under PCI-DSS v4.0 Requirement 12.10
SOC 2 — CI/CD pipeline credential exfiltration is a security incident requiring evaluation under SOC 2 availability and confidentiality trust service criteria; affected organizations with SOC 2 commitments should assess notification obligations
HIPAA — if pipelines on affected Jenkins nodes build or deploy applications that process protected health information, the credential compromise triggers breach risk assessment obligations under 45 CFR 164.402
