Breaking: Three Zero-Day Supply Chain Attacks Stopped in a Single Day
In a watershed moment for cybersecurity, three distinct zero-day supply chain attacks targeting LiteLLM, Axios, and CPU-Z were all neutralized on the same day by a single defense platform—without prior knowledge of any payload. The attacks, which struck within three weeks this spring, underscore a dangerous new reality: adversaries are weaponizing trusted delivery channels.
“The question isn’t if a supply chain attack will hit, but when,” said Dr. Elena Voss, a threat intelligence analyst at SentinelOne. “Our team stopped these incidents because the architecture didn’t need to see the malware—it recognized the behavior.”
Each attack exploited a different vector: compromised PyPI credentials in LiteLLM, a phantom dependency in the JavaScript ecosystem for Axios, and a signed binary from an official vendor domain in CPU-Z. SentinelOne’s behavioral detection caught all three despite no existing signatures or indicators of compromise.
Jump to: Background | What This Means
Background: The Anatomy of the Attacks
The LiteLLM incident is a textbook example of weaponized AI workflows. On March 24, 2026, threat actor TeamPCP used credentials stolen in a prior compromise of the Trivy security scanner to publish two malicious LiteLLM versions (1.82.7 and 1.82.8).
When an AI coding agent with unrestricted permissions auto-updated to the infected version, it executed credential-theft code silently. “An AI agent ran claude --dangerously-skip-permissions and never flagged the update,” noted Voss. “That’s the speed of autonomous offensive ops.”
The Axios attack followed a different playbook: a phantom dependency staged 18 hours before detonation. And the CPU-Z strike used a signed binary hosted on an official domain, bypassing traditional trust models. All three were zero-days at execution time.
These incidents align with a broader trend. In September 2025, Anthropic disclosed a Chinese state-sponsored group that used an AI assistant to autonomously handle 80–90% of tactical operations—from reconnaissance to exfiltration—across 30 organizations. Only 4–6 human decisions were needed per campaign.
What This Means: Defending Against the Unknown
The ability to stop unknown payloads is no longer a luxury—it’s a survival requirement. “Signature-based defenses are obsolete against AI-driven supply chain attacks,” said Voss. “If your architecture relies on seeing the malware first, you’re already compromised.”
Organizations must shift to behavioral and causality-based detection that can flag anomalous actions even in trusted software. The SentinelOne stops prove that it’s possible to block attacks without prior intelligence, but only if the defense platform is designed for pre-execution analysis.
For security leaders, the takeaway is stark: audit your supply chain sources, restrict AI agent permissions, and demand that your endpoint protection can stop payloads it has never seen. The next attack may not be a question of if—but of how fast your architecture can say no.
This story is developing. More details on each vector are available in our background section.