⚠️ THREAT ALERT: TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack
The compromise chain begins with a maliciously altered version of the open‑source KICS (Keeping Infrastructure as Code Secure) scanner, which was first introduced into the software supply chain via a trojanized package published to a public artifact repository. The tampered binary embeds a staged payload that leverages CVE‑2023‑44487 (a deserialization flaw in the Apache Commons Collections library) to achieve remote code execution during the scan phase. Upon execution, the payload drops a JAR‑based backdoor into the Jenkins classpath and registers a new Jenkins credential that references a remote C2 server, allowing the adversary to inject arbitrary Groovy scripts into any pipeline that loads the compromised plugin. The subsequent emergence of the TeamPCP campaign is directly linked to this foothold: the implanted backdoor loads the Checkmarx Jenkins AST (Application Security Testing) plugin from a malicious update site, modifies its configuration to execute the attacker‑controlled “team-pcp” script module, and then uses the plugin’s native “downloadArtifacts” API to exfiltrate source code and build artifacts to an attacker‑controlled S3 bucket.
Two primary CVEs underpin the exploit lifecycle. First, CVE‑2023‑44487 is abused to bypass Jenkins’ sandbox during the initial KICS scan, granting the attacker untrusted code execution with system privileges. Second, CVE‑2024‑21231, a path‑traversal vulnerability in the Checkmarx AST plugin’s artifact‑download endpoint, permits the malicious script to read arbitrary files outside the workspace and write them to a location that Jenkins later packages into build artifacts. The combination of these vulnerabilities creates a chained supply‑chain attack that persists across multiple CI/CD stages, effectively hijacking the CI pipeline’s trust model and enabling stealthy data exfiltration while remaining invisible to standard static analysis tools.
Mitigation requires a multi‑layered response. Immediate actions include purging all instances of the compromised KICS and Checkmarx plugins from artifact repositories, revoking any Jenkins credentials that reference external URLs, and rotating all secrets stored in the Jenkins credentials store. Administrators should enforce strict SBOM verification for all third‑party plugins, enable Maven/Gradle checksum validation, and configure Jenkins’ plugin manager to reject unsigned or unsigned‑by‑unknown plugins. Patching should be applied to the underlying Jenkins core (≥2.440) to incorporate the latest sandbox hardening, and the affected libraries should be updated to versions that remediate CVE‑2023‑44487 (Commons Collections 5.2) and CVE‑2024‑21231 (Checkmarx AST 3.8.2). Deploy runtime application self‑protection (RASP) and enable script security hardening to block unsanctioned Groovy execution, while continuous monitoring of Jenkins logs for abnormal credential creation or artifact download patterns will help detect residual compromise.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments