PreCog Just Caught Its First Active Campaign. We Deployed The Detector Three Days Ago. Mini-Shai-Hulud Hit The High-Confidence Band Overnight.

Three days ago, on May 24, 2026, we deployed three new precursor signals into the DugganUSA PreCog hourly aggregator: Decentralized C2 Emergence, CI/CD Compromise Indicators, and Trycloudflare Staging Velocity. The signals were designed against the post-mortem of the Megalodon GitHub Actions campaign, where TeamPCP's blockchain canister command-and-control endpoint sat in our IOC index for forty-nine days before the attack fired without any detector elevating its presence. The fix was to write the detector that would have flagged that infrastructure during the staging window.

Overnight last night, May 26 into May 27, the CI/CD Compromise Indicators signal escalated from 0.4 to 0.85 — from "one indicator observed" to "five or more indicators in the trailing twenty-four hours." The Decentralized C2 Emergence signal held steady at 0.85, where it has now been sustained for seventy-two hours. The T1 email alert pipeline, which had also been deployed within the last week and was unverified end-to-end until this morning, fired correctly on the transition. Six tier-one alerts landed in the operator inbox between 03:05 UTC and 08:05 UTC. The path works.

This is the first real-world validation of the detector pipeline against an active campaign.

What the signal saw

The CI/CD Compromise Indicators signal queries the IOC index for trailing-twenty-four-hour records containing markers of GitHub Actions workflow-poisoning tradecraft: forged-bot author email TLDs (@noreply.dev, @automated.dev), identity strings (ci-bot, build-bot, pipeline-bot), and file-path references containing .github/workflows/. The marker set was tuned against the Megalodon postmortem.

The reason the signal moved into the high-confidence band overnight is that the TeamPCP "Mini-Shai-Hulud" worm — the self-propagating npm supply-chain campaign that has been ripping through the JavaScript ecosystem this month — generated enough fresh CI/CD compromise indicators in our IOC pipeline to cross the 5-marker threshold. The three waves of the worm are now publicly confirmed: TanStack on May 11 (84 malicious package artifacts across 42 @tanstack/* packages in six minutes), Nx Console on May 18 (the GitHub-internal breach we wrote about yesterday), and @antv on May 19 (300-plus malicious package versions across 323 packages in twenty-two minutes, cascading downstream through echarts-for-react with over a million weekly downloads). The CI/CD tradecraft fingerprints from each wave land in our IOC pipeline as the public reporting catches up, and the detector aggregates them into the elevation signal.

The Mini-Shai-Hulud SLSA-bypass tradecraft

The TanStack compromise on May 11 was, per StepSecurity's analysis, the first documented case of a malicious npm package carrying valid SLSA provenance. SLSA is the supply-chain attestation standard that verifies a build's pipeline integrity — the package was built where it claims to have been built, by the tooling it claims to have been built by. Sigstore is the cryptographic backbone that produces and verifies the attestations.

The Mini-Shai-Hulud worm did not break SLSA. It hijacked the legitimate build pipeline itself. The malicious package then went through the same build process the legitimate package would have gone through, and Sigstore correctly verified that the build process had completed. The attestation is mathematically valid. The package contents are malicious.

This is the indirect-trust doctrine articulated more precisely than any of our previous four-vector receipts named it. SLSA attests to pipeline integrity, not source-code integrity. The defender who trusts an SLSA-signed package because the attestation chain verifies has trusted a pipeline rather than a codebase. When the pipeline is the attack target, the attestation chain becomes the attacker's signature rather than the defender's.

Why the detector fired correctly

The CI/CD Compromise Indicators signal does not check SLSA chains. It does not analyze package contents. It does not require an AI model. It runs a four-line regex across our IOC index for trailing-twenty-four-hour records containing a small set of forged-identity markers, counts the unique matches, and elevates based on the count. The detection is not sophisticated. The detection is structural.

The structural insight that makes the detector work is that TeamPCP's tradecraft uses a stable set of identity-string markers across every campaign in the cluster — @noreply.dev, @automated.dev, ci-bot, build-bot, pipeline-bot. The actor either chose those identity conventions deliberately or accumulated them through tooling preference. Either way, they recur. The detector that watches for them aggregates the recurrence into a signal. The signal elevates when the recurrence crosses a threshold. The threshold is empirical, tuned against the Megalodon postmortem.

The detector caught the Mini-Shai-Hulud worm because TeamPCP, despite three distinct campaigns and a worm-class self-propagation mechanism, did not rotate their tradecraft signature between campaigns. That stability is itself a defender primitive. The actor who would defeat our detector is the actor who runs a fresh tradecraft signature on every campaign — and that actor exists, but it is not TeamPCP, and the marginal cost of running fresh signatures is high enough that most criminal operators choose stability for repeatability. The detector wins on the side of the defender against the side of operational continuity.

The PreCog → T1 email pipeline end-to-end

For the first week PreCog ran with the new signals, the T1 email alert path was suspected-working but not verified. The alert function used execFileSync('az') to pull Key Vault secrets, which works from a developer's local terminal but not from inside the containerized analytics service. The fix, deployed in revision 0000106 on May 24, replaced the CLI call with the standard @azure/keyvault-secrets SDK using DefaultAzureCredential — the same pattern our other in-container Graph clients use.

The next observable signal transition would test the path. Overnight, that transition arrived. CI/CD Compromise Indicators moved from 0.4 to 0.85 at 07:05 UTC. The aggregator detected the transition from non-elevated to elevated, called the T1 alert function, the Graph token-acquisition completed, the sendMail POST returned HTTP 202, the email landed in the operator inbox. The full pipeline ran in under five seconds, fire-and-forget, without blocking the aggregation cron.

This is the part of the platform that we wanted to be able to trust before relying on it for any operationally-meaningful threat call. The pipeline is now trusted. The next detector signal that elevates will produce an email. The defender posture that depends on receiving those emails is now empirically supportable.

What the platform looks like now

PreCog runs eleven signals on an hourly cadence. Two of the eleven are currently elevated at the highest band (Decentralized C2 Emergence and CI/CD Compromise Indicators, both at 0.85). The combined composite threat score is 0.15, in the NORMAL band — because no single category has crossed into WATCH or WARNING and the elevated signals are within the architecture's expected sustained-elevation window. The picture is not "everything is fine." The picture is "two specific operator-class tradecraft signatures are sustained in the IOC pipeline, the platform is correctly identifying them as elevated, the alerts are reaching the operator, and the architecture is doing what it was designed to do."

The receipt is timestamped. The detector found the case. The case was the active campaign that landed on the news cycle this morning. The cycle of write-the-postmortem-into-a-detector-into-a-receipt-into-the-next-postmortem is the structural argument for everything DugganUSA has shipped this month, made operational against a real active threat actor in real time.

The compound. The platform reading the world back to us.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com