First reported here in a comment under JENKINS-24805.

Minimal reproduction script is:

node() {
  withCredentials( [] ) {
      echo 'Test of the credentials binding decorator'
  }
}

So, passing an empty list of credentials--my concrete use case constructs the list based on upstream factors; some of the times there are no credentials to resolve so the list is empty. The relevant part of the log then winds up like this:

[Pipeline] Bind credentials to variables : Start
[Pipeline] withCredentials {
[Pipeline] echo
****T****e****s****t**** ****o****f**** ****t****h****e**** ****c****r****e****d****e****n****t****i****a****l****s**** ****b****i****n****d****i****n****g**** ****d****e****c****o****r****a****t****o****r****
****
****[Pipeline] } //withCredentials
[Pipeline] Bind credentials to variables : End

I believe it's because BindingStep.Filter::Filter builds a zero-length pattern in this scenario, which matches like crazy.

The obvious workaround is just to not wrap using withCredentials if the credentials list is empty, so it's not a huge deal. I'm also unsure if this issue should be distinct from JIRA-24805.