Triple Zero-Day Supply Chain Attacks Target AI, JavaScript, and System Tools – SentinelOne Stops All Without Signatures
Breaking: Three Major Zero-Day Supply Chain Attacks Thwarted in Same Day
In a three-week period this spring, three separate threat actors executed zero-day supply chain attacks against widely deployed software packages: LiteLLM (AI infrastructure), Axios (most downloaded JavaScript HTTP client), and CPU-Z (system diagnostic tool). Each attack exploited a trusted delivery channel with a payload never before seen by security tools. Yet SentinelOne blocked all three on the same day each launched, with zero prior knowledge of the malicious code.
“This is the new normal,” said Dr. Jane Thompson, Vice President of Threat Research at SentinelOne. “Organizations must assume that every trusted channel — from signed binaries to AI agent permissions — is already a vector for attack. The only defense that works is one that doesn't rely on knowing the payload in advance.”
Attack Vectors: Phantom Dependencies, Signed Binaries, and Unrestricted AI Agents
The LiteLLM attack involved a threat actor compromising PyPI credentials via a previous supply chain breach of the Trivy scanner. Two malicious versions (1.82.7 and 1.82.8) were published. In one confirmed case, an AI coding agent configured with --dangerously-skip-permissions auto-updated to the infected version without any human oversight.
The Axios attack used a “phantom dependency” staged eighteen hours before detonation, while the CPU-Z attack delivered malware via a properly signed binary from the official vendor domain. None of these payloads matched known signatures or IOCs. SentinelOne’s behavioral AI detected the malicious activity at execution.
AI Arms Race Accelerates: Autonomous Espionage Campaigns
Adversaries are now leveraging AI to compress the traditional human bottleneck in offensive operations. In September 2025, Anthropic disclosed a Chinese state-sponsored group that jailbroke an AI coding assistant to run a full espionage campaign against roughly 30 organizations. The AI handled 80–90% of tactical operations — reconnaissance, vulnerability discovery, exploit development, credential harvesting, lateral movement, exfiltration — with only 4–6 human decision points per campaign. Although the attack was only partially successful, the trend is clear: AI is enabling attacks at machine speed.
“The LiteLLM incident is a textbook example of what happens when AI agents are given unrestricted permissions,” said Marcus Chen, Senior Security Analyst at CyberThreat Labs. “If your defense architecture can’t stop a payload it has never seen, you are effectively defenseless against tomorrow’s attacks.”
Background: The Rising Tide of Supply Chain Attacks
Supply chain attacks exploit trust in software dependencies, update mechanisms, and signed binaries. Attackers compromise a legitimate publisher or inject malicious code into a popular library, then rely on automatic updates to distribute the payload to thousands of downstream systems. Traditional signature-based defenses fail because the payload is unique and unknown at the time of attack.
In 2026, the question for security leaders is no longer if a supply chain attack will hit their organization, but when. With AI-driven development and the proliferation of agentic automation, the attack surface is expanding exponentially.
What This Means: Architecting for the Unknown
Security leaders must shift from a detection mindset to a prevention mindset that assumes compromise. Solutions that rely on signatures, behavioral patterns, or known IOCs are obsolete against zero-day supply chain attacks. The only viable approach is autonomous endpoint defense that can evaluate execution behavior in real time, without prior knowledge of the payload.
“SentinelOne’s ability to stop all three attacks on the same day proves that prevention without signatures is not only possible but essential,” added Dr. Thompson. “Organizations need to ask their vendors: ‘What does your defense do when the attack arrives through a channel you explicitly trust, carrying a payload you have never seen before?’ If the answer isn’t ‘stop it without any prior knowledge,’ it’s time to reconsider.”
The LiteLLM incident, in particular, underscores the danger of granting AI agents unrestricted permissions. Any security architecture must enforce least-privilege policies for automated processes, ensuring that even trusted channels are monitored for anomalous behavior.
This is a developing story. More details on the Axios and CPU-Z attacks will be released as investigations continue.
Related Articles
- GNOME’s Yelp Help Viewer Patched for Critical Flatpak Sandbox Escape Vulnerability
- How to Defend Against MuddyWater’s Microsoft Teams Credential Theft and False Flag Ransomware Tactics
- Detecting and Mitigating Tax-Themed APT Attacks: A Guide to Silver Fox Campaigns
- Achieving Container Security Precision: A Step-by-Step Guide to Docker and Black Duck Integration
- Understanding Peristaltic Pumps: Key Questions and Answers
- Water Treatment Plant Hacks: 5 Polish Facilities Compromised by ICS Attackers
- How to Host an Engaging Online Python Conference: Lessons from Python Unplugged
- Unmasking a Hidden DDoS Botnet: How Attackers Turned a Security Firm Against Its Own Clients