CI/CD supply-chain alarms: Checkmarx Jenkins plugin hijacked—plus a new Windows file-blocking exploit

Checkmarx has issued a supply-chain warning after a rogue version of its Jenkins Application Security Testing (AST) plugin appeared on the Jenkins Marketplace. The alert indicates that CI/CD security tooling was targeted through the software distribution channel rather than by attacking Jenkins itself. Reporting further notes that TeamPCP compromised the Checkmarx Jenkins AST plugin weeks after a prior KICS supply-chain incident, suggesting a repeat pattern of abuse against developer security ecosystems. Checkmarx confirmed a modified plugin was posted and provided a specific remediation target: organizations must ensure they are running version 2.0.13-829.vc72453fa_1c16, published on December 17, 2025 or earlier. In parallel, a researcher released a proof-of-concept tool, GhostLock, showing how a legitimate Windows file API can be abused to block access to local files or files on SMB network shares. Strategically, these events matter because CI/CD pipelines and endpoint file access are foundational to industrial control, government IT, and other critical infrastructure operations. By poisoning the scanning layer, adversaries can potentially allow malicious code to pass security gates, undermining the integrity of release decisions without overtly “breaking” deployments. The repeated targeting of security plugins implies adversaries are optimizing for stealth and scale, leveraging trust in widely used developer tooling to reach many downstream organizations. GhostLock’s file-blocking capability adds a complementary disruption vector that can degrade recovery, incident response, and business continuity, particularly in environments dependent on Windows and shared storage. While reporting does not name a state sponsor, the tradecraft aligns with threat actors that exploit software distribution channels and Windows API abuse to maximize operational leverage. Economically, the impact is indirect but can be meaningful for cybersecurity spending, insurance pricing, and enterprise risk premia. The most exposed sectors are those with heavy CI/CD adoption—software and SaaS providers, fintech, and industrial firms—because a compromised AST plugin can weaken the trustworthiness of automated build and deployment pipelines. On the endpoint and network side, GhostLock’s emphasis on SMB shares elevates risk for organizations with Windows file servers and shared storage, increasing demand for EDR hardening, SMB monitoring, and incident response services. In financial terms, near-term effects are more likely to show up as volatility in cybersecurity equities and tighter scrutiny during cyber insurance renewals rather than as a direct commodity shock. If exploitation scales, insurers may tighten coverage terms and raise premiums for companies with unmanaged Jenkins plugin inventories and weak file-access controls. What to watch next is whether Checkmarx and Jenkins Marketplace administrators identify additional malicious versions, publish indicators of compromise, and clarify how widely the rogue plugin was downloaded. A key operational trigger is how quickly organizations can inventory Jenkins plugin versions across controllers and build agents and enforce the known-good version requirement (2.0.13-829.vc72453fa_1c16 or earlier). For GhostLock, escalation would be indicated by reports of weaponized variants beyond proof-of-concept, especially those that add persistence or ransomware-like behavior. Monitoring should focus on anomalous Jenkins plugin installation events, unexpected changes in AST behavior, and SMB share access denials correlated with unusual process activity. Over the coming days, de-escalation hinges on rapid remediation and evidence that no further supply-chain tampering occurred, while escalation would be confirmed by broader compromise indicators and signs of active exploitation in the wild.

Geopolitical Implications

• 01

  Supply-chain attacks on CI/CD security tooling can undermine trust in software used by governments and critical infrastructure.

• 02

  File-access disruption via Windows/SMB can create operational leverage without overt battlefield activity.

• 03

  Marketplace distribution-channel compromises elevate the strategic importance of cross-border cyber governance and vendor accountability.

Key Signals

• —Additional malicious plugin versions or follow-on advisories from Checkmarx/Jenkins Marketplace.
• —Indicators of AST scanning behavior changes on affected Jenkins instances.
• —Reports of GhostLock moving from proof-of-concept to real-world exploitation.
• —SMB denial patterns and correlated process telemetry indicating abuse of file APIs.