Cyber·Monitoring
Shai-Hulud Supply-Chain Attack Trojanizes 19 PyPI Packages
PyPI repository (global online service)· Global4 Jun
5 reportsPROPCYCAS
MediumAI Refreshed
ClosedMedium impactAI Generated
Checkmarx Jenkins AST Plugin Compromised with Infostealer – May 2026
Occurred 11 May 2026·Detected 12 May 2026·
🇺🇸 Global – originating via the Jenkins Marketplace; Checkmarx is a US/Israel-headquartered vendor1 reportEnded 29 May 2026
CyberPropertyCyberCasualty & Liability
Checkmarx issued a warning over the weekend of 11 May 2026 that a rogue, malicious version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. The compromised package contained infostealer malware designed to exfiltrate sensitive data from developer and CI/CD environments. The incident represents a software supply chain attack targeting users of the widely used Jenkins continuous integration platform. Checkmarx advised affected users to remove the rogue plugin immediately.
AI-generated from linked source reports. See our correction policy.
Impact verdict
Medium impact. The compromise of an official plugin on a widely used marketplace (Jenkins) has significant potential reach across enterprise DevOps environments globally, with risk of credential theft, data exfiltration, and downstream pipeline compromise. However, the full scope of affected organisations is not yet confirmed.
View assessment methodologyHow we grade what we know -- Known · Reported · Uncertain. Methodology →
Intelligence ledger
Each line expands in place to its underlying sourced claim.
Known4 lines
A rogue version of the Checkmarx Jenkins AST plugin was published on the Jenkins Marketplace.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
The malicious package contained infostealer malware.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Checkmarx issued a public warning over the weekend of 11 May 2026.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
The incident was reported by BleepingComputer on 11 May 2026.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Reported2 lines
The rogue plugin was available for download via the official Jenkins Marketplace, increasing the potential victim count.▾
structured linereported
No separate sourced-claim record is available for this line yet.
The attack appears designed to target developer pipelines and CI/CD environments.▾
structured linereported
No separate sourced-claim record is available for this line yet.
Uncertain4 lines
The identity or attribution of the threat actor behind the compromise is not confirmed.▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
The number of organisations or individuals who downloaded and executed the malicious plugin is unknown.▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether state-sponsored actors were involved has not been confirmed.▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
The duration for which the malicious package was available before detection is unclear.▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Geographic Zone Matches
1 active match
- TRIA Certified AreasRule-basedConfidence 100%
Geographic zone matches are RiskEvents spatial/analytical indicators, not coverage determinations or Lloyd's official classifications.
Affected countries
🇬🇱 Global🇺🇸 United States
Timeline
Status Change2 Jun 2026, 13:05
Lifecycle changed
monitoring → closed
Closure2 Jun 2026, 13:05
Event Closed
auto_closed_monitoring_timeout
Status Change29 May 2026, 05:30
Status changed to monitoring
Auto-transitioned: no updates for 6 hours
active → monitoring
Status Change28 May 2026, 22:36
Status changed to active
remediation: existing authoritative signal
signal → active
Initial Detection12 May 2026, 05:55
Initial Detection
Checkmarx issued a warning over the weekend of 11 May 2026 that a rogue, malicious version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. The compromised package contained infostealer malware designed to exfiltrate sensitive data from developer and CI/CD environments. The incident represents a software supply chain attack targeting users of the widely used Jenkins continuous integration platform. Checkmarx advised affected users to remove the rogue plugin immediately.
Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace.
Source: BleepingComputer (Trade Media) · View source
Lloyd's classifications
Tracking this kind of risk? Get an email when Cyber events escalate.
Get alerts