Checkmarx Jenkins Plugin Backdoored in New TeamPCP Supply Chain Attack

TeamPCP compromised Checkmarx infrastructure, defacing the Checkmarx Jenkins AST plugin repository and backdooring release 2026.5.09 with a credential-stealing malware ('Shai Hulud'), risking widespread exposure of CI/CD secrets, tokens, and keys for any Jenkins instances that installed the compromised plugin; organizations that used that version should assume compromise, rotate secrets, and audit pipelines.