agentwork-cli npm package carried Shai-Hulud

The agentwork-cli record is a small slice of the May 2026 Shai-Hulud wave, but it is the slice an incident responder would search for in a package inventory. JFrog listed two malicious npm releases, 0.1.4 and 0.1.5, under the official agentwork-cli package name.

The package did not need a bespoke exploit. In this campaign, TeamPCP used compromised publishing access to turn ordinary package installs into credential-harvesting opportunities. A developer workstation or CI runner that installed the affected versions could expose npm tokens, GitHub material, cloud credentials, and other secrets the worm could use for the next publishing step.

That is why this page keeps the package separate from the aggregate campaign. The broader [[shai-hulud-here-we-go-again]] record explains the shared loader, infrastructure, and self-propagation behavior. This record pins the affected package name, versions, dates, and registry URLs to one trust boundary.

The operational question is narrow: did any build, lockfile, cache, or developer machine resolve agentwork-cli to one of those releases on May 11 or May 12? If yes, the cleanup path starts with credential rotation from a known-clean machine and a review of any downstream packages that environment could publish.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• Minimal campaign-linked record created to keep Shai-Hulud package evidence scoped by vendor, organization, maintainer account, or package distribution surface.

• Shai-Hulud: Here We Go Again - Worm by TeamPCP Hits NPM and PyPIresearch.jfrog.com