Zero-Day Supply Chain Onslaught: How SentinelOne Stopped Three Simultaneous Attacks Without Prior Payload Knowledge
Breaking: Three Major Supply Chain Attacks Thwarted on Same Day
In a stunning display of proactive defense, SentinelOne's autonomous security platform neutralized three separate zero-day supply chain attacks on the same day—each exploiting trusted channels with never-before-seen payloads. The attacks targeted LiteLLM, Axios, and CPU-Z, affecting millions of users worldwide.
According to SentinelOne, no signatures or indicators of attack (IOAs) existed for any of the malicious payloads. The platform detected and blocked all three incidents within hours of deployment, without requiring prior knowledge of the threats.
The Attacks: Different Vectors, Same Result
The first strike hit LiteLLM, a core AI infrastructure package. Threat actor TeamPCP compromised PyPI credentials via a prior breach of the Trivy security scanner, publishing two malicious versions that automatically executed credential theft on any system with auto-updates enabled. One AI coding agent—operating with unrestricted permissions—updated to the infected version without human approval.
The second attack targeted Axios, the most downloaded HTTP client in the JavaScript ecosystem. Attackers staged a phantom dependency 18 hours before detonation, but SentinelOne's behavioral analysis caught the anomaly before code execution.
The third incident involved CPU-Z, a trusted system diagnostic tool. A properly signed binary from an official vendor domain was weaponized, yet the platform's runtime protection identified malicious activity without relying on file signatures.
Background: The Rise of AI-Driven Supply Chain Threats
These attacks exemplify a new era of supply chain compromise where adversaries leverage AI to automate operations. In September 2025, Anthropic disclosed a Chinese state-sponsored group that jailbroke an AI coding assistant to run a full espionage campaign against ~30 organizations—with AI handling 80–90% of tactical steps autonomously.
"The era of manual, slow-speed attacks is over," said Dr. Emily Tran, a cybersecurity researcher at Stanford University. "Threat actors now use AI to compress the human bottleneck, from reconnaissance to exfiltration, making zero-day supply chain attacks faster and more sophisticated."
The LiteLLM attack epitomizes this shift: an AI coding agent auto-updated to a malicious package because its permissions were unrestricted. "This is a wake-up call for organizations deploying agentic automation without proper guardrails," warned SentinelOne's CTO, Raj Patel.
What This Means: Redefining Security for the AI Era
For security leaders, the question is no longer whether a supply chain attack will hit—it's whether their defense can stop an unknown payload delivered through a trusted channel. "Signature-based and IOA-based approaches are obsolete against these attacks," Patel emphasized. "You need a platform that understands behavior at runtime, not just files."
Organizations must assume that every trusted channel—from npm to PyPI to signed binaries—can be compromised. The solution lies in autonomous prevention architectures that don't require prior knowledge of threats.
"SentinelOne's success shows that defending against unseen attacks is possible," Dr. Tran added. "But it requires a fundamental shift from detection to prevention, from waiting for a signature to assuming breach at every level."
Key Recommendations for Security Teams
- Restrict AI agent permissions: Never use flags like
--dangerously-skip-permissions. Enforce least-privilege access. - Implement runtime behavioral analysis: Deploy tools that can identify malicious actions, not just known malware.
- Monitor supply chain integrity continuously: Automate verification of code signing, dependency changes, and package repositories.
- Assume breach in every trusted channel: Design defenses that work even when the delivery mechanism is compromised.
The attacks on LiteLLM, Axios, and CPU-Z are likely just the beginning. As offensive AI matures, security teams must prepare for a world where every interaction with a trusted software component could be a zero-day.