"Our corporate account (42Crunch) was one of the accounts that got deleted," Dmitry Sotnikov, Chief Product Officer at 42Crunch, told ZDNet in an interview yesterday.
Sotnikov said they followed instructions provided by the Jenkins team and re-registered their old account.
"Once we did, we found that this new account automatically got access and permissions that the old, deleted account had - including full ownership of our Jenkins extension in the marketplace.
"This means that someone could have beaten us and could have registered an account with the name identical to ours, and then pushed some sort of a malware update to users on our behalf," Sotnikov said.
Sotnikov also raised the issue with the Jenkins staff on their Google Groups discussion board.
Following the 42Crunch exec's finding, the Jenkins team blocked all uploads of new artifacts to the Jenkins Artifactory portal to prevent any threat actor from taking advantage of this loophole and replacing plugin artifacts (files) with malicious versions.
No signs of malicious activity
The Jenkins team also followed through with a security audit. Devs said they reviewed all artifact uploads between June 2 (the outage) and June 9, when the issue was brought to their attention and found no suspicious uploads.
Jenkins devs said that while a threat actor could have uploaded new artifacts, the danger of pushing a malicious Jenkins plugin update was small because attackers would have also had to hijack a user's plugin account at the same time with the Jenkins Artifactory account.
Jenkins devs are currently preparing to disclose the incident to all Artifactory users who had their accounts deleted during the June 2 outage and are putting in place additional verification measures to prevent any account hijacking attempts by unauthorized third-parties.
What's in a name? These DevOps tools come with strange backstories