Previously, the attackers gained access to internal resources, and used it to extract sensitive credentials, including publishing credentials for Jenkins plugins. Using this access, they modified and redistributed the Checkmarx AST Scanner Jenkins Plugin via the official plugin distribution channel. The malicious update included a backdoored cli.js file designed to exfiltrate credentials from Jenkins environments where the plugin was installed and executed.
Additionally, the attackers temporarily controlled or modified a GitHub repository associated with the plugin, renaming it and exposing sensitive data. A personal access token (PAT) was identified in commit history and subsequently revoked, but it may have enabled further unauthorized access prior to remediation.