Jenkins project discloses security breach following Confluence server hack

The developers of the Jenkins server, one of the most widely used open-source automation systems, said they suffered a security breach after hackers gained access to one of their internal servers and deployed a cryptocurrency miner.

Despite the intrusion and malware deployment, the Jenkins team downplayed the severity of the breach in a statement published on Saturday.

Jenkins admins said the hacked server, which hosted the now-defunct Jenkins wiki portal (, had already been deprecated since October 2019 when the project moved its wiki and team collaboration systems from a self-hosted Atlassian Confluence server to the GitHub platform.

“At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected,” the Jenkins team said over the weekend.

Following the discovery of the hack, Jenkins developers said they permanently took down the hacked Confluence server, rotated privileged credentials, and reset passwords for developer accounts.

Breach part of the larger Confluence attack wave

The Jenkins breach is part of a recent wave of attacks exploiting CVE-2021-26084 (also nicknamed Confluenza), an authentication bypass and command injection bug in Atlassian’s Confluence server.

As The Record first reported last Wednesday, attacks against Confluence servers began last week and ramped up after security researchers published a proof-of-concept exploit on GitHub.

Attacks exploded throughout the week, prompting US Cyber Command to issue a public warning on Friday, urging administrators to patch affected systems before they left for the US Labor Day extended weekend.

The attacks, which most deployed cryptocurrency miners, according to security firms Bad Packets and Rapid7, are still ongoing.

According to internet monitoring project Censys, there are currently around 15,000 Atlassian Confluence servers that can be reached over the internet. 

According to Censys, on Sunday, September 5, there were 8,597 Confluence servers connected online and still vulnerable to CVE-2021-26084.

Image: Censys
Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Recent Posts

Air War College Professor Pleads Guilty to Hiding Contacts With Chinese Official

A civilian professor at the Air War College on Maxwell Air Force Base in Montgomery,…

2 mins ago

Hackers use SQL injection bug in BillQuick billing app to deploy ransomware

At least one hacking group is exploiting a security flaw in a popular billing software…

2 hours ago

Microsoft says Russia hacked at least 14 IT service providers this year

Microsoft said on Monday that a Russian state-sponsored hacking group known as Nobelium had attacked…

3 hours ago

Decrypter announced for past BlackMatter ransomware victims

Antivirus maker and cybersecurity firm Emsisoft announced today the availability of a free decryption utility…

1 day ago

Malware found in npm package with millions of weekly downloads

A massively popular JavaScript library (npm package) was hacked today and modified with malicious code…

3 days ago

Facebook sues Ukrainian who scraped the data of 178 million users

Facebook has filed a lawsuit on Friday against a Ukrainian national for allegedly scraping its…

3 days ago