It would seem password string in credentials after ";" is running as shell command as jenkins user arbitrarily.
Never double-quote arguments to sh unless you intend to have this behavior. The command interpreter cannot distinguish ; in the script from ; in variables if Pipeline/Groovy is doing the interpolation and the variables are never seen by the command interpreter.
security risks of echoing partial passwords in plain text
While Credentials Plugin has a fairly flexible masking rule taking care of the common shells' accidental output, there are limits to what can be identified as a secret to be masked. Just skip the punctuation and add a few more chars.
GitHub and GitLab similarly tell you to keep your passwords simple if you want masking/redaction to be successful.
Will just leave it here https://gist.github.com/Faheetah/e11bd0315c34ed32e681616e41279ef4
Specifically regarding lines 15-16, use https://www.jenkins.io/doc/pipeline/steps/workflow-basic-steps/#withenv-set-environment-variables
sh 'echo $foo'
looks a bit silly, but it works.