We have received reports of attacks targeting Jenkins installations that do not have cross-site request forgery (CSRF) protection enabled (which is the default on Jenkins 1.x). This is dangerous because it makes your Jenkins vulnerable to targeted attacks even if Jenkins is behind a firewall or on a private network, through specially crafted links sent via email, or other mediums, to unsuspecting users.
This is a reminder that you should enable this feature in your Jenkins instance, even if your instance if not directly exposed to the internet. See the Jenkins wiki for more details about this feature. This is also a good opportunity to take a look again at the "Secure Jenkins" wiki page which discusses various security-related topics, including this one.
If you come across malware that's exploiting Jenkins or find vulnerabilities, please report them by following the responsible disclosure process outlined on jenkins.io
. This allows us to resolve those issues before the method of attack becomes publicly known.