cmux-agent-mcp npm package carried Shai-Hulud

The cmux-agent-mcp compromise was one of the narrower package records in the May 2026 Shai-Hulud wave. JFrog listed six affected cmux-agent-mcp npm versions, all published inside the same May 11-12 window that drove the broader TeamPCP campaign.

The package name matters because MCP tooling often sits in developer automation paths rather than end-user runtime paths. That is exactly where Shai-Hulud wanted to run. A package install in an agent, local development shell, or CI job could expose npm tokens, GitHub credentials, cloud metadata, SSH material, and other secrets before the user saw anything obviously wrong.

This record therefore treats cmux-agent-mcp as its own distribution surface. The campaign page explains the common loader and self-propagation mechanics; this page anchors the affected package name, version set, dates, and npm URLs for inventory and incident-response work.

Defenders do not need to prove the package was imported by a production service before acting. The risk begins when a privileged environment resolved and executed one of the affected releases. That makes package caches, build logs, and lockfiles as important as deployed application manifests.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• Minimal campaign-linked record created to keep Shai-Hulud package evidence scoped by vendor, organization, maintainer account, or package distribution surface.

• Shai-Hulud: Here We Go Again - Worm by TeamPCP Hits NPM and PyPIresearch.jfrog.com