The Jenkins project has received multiple credible reports indicating that unsecured, publicly accessible instances of Jenkins are being targeted and infected with malware. This advisory publishes the information we have about this situation and may be updated once we learn more.
By default, Jenkins listens to all interfaces and does not require user authentication, allowing anyone on the network to run arbitrary processes as the user running Jenkins. If you're running instances on a public network, make sure security is enabled. To do this, follow the instructions in the Jenkins wiki.
While this is not a bug in Jenkins, we are planning to change the Jenkins setup in a future release to be secure by default to prevent something like this from occurring in the future.
Reports indicate that affected machines have one or more of these files in their Jenkins home directory (e.g.
We currently neither know the exact nature of this malware, nor how to remove it.
Call to Action
If you have more information about these infections, please share what you know:
- Create an issue in the SECURITY project on issues.jenkins-ci.org (requires account), or