SentinelOne Details Three Zero-Day Supply Chain Attacks on LiteLLM, Axios, and CPU-Z in Spring 2026

In spring 2026, three separate threat actors launched zero-day supply chain attacks against widely used software packages: LiteLLM, Axios, and CPU-Z. SentinelOne Labs detailed the incidents in a report published on April 22, 2026, highlighting that its platform detected and blocked all three payloads on the same day each attack launched, with no prior knowledge of any payload. The attacks exploited trusted delivery channels and bypassed traditional security controls, underscoring the inadequacy of signature-based defenses against modern supply chain threats.

The first attack targeted LiteLLM, a core AI infrastructure package. On March 24, 2026, threat actor TeamPCP compromised the LiteLLM Python package by obtaining PyPI credentials through a prior supply chain compromise of Trivy, a widely used open-source security scanner. Two malicious versions (1.82.7 and 1.82.8) were published. In one confirmed detection, an AI coding agent running with unrestricted permissions auto-updated to the infected version without human review, executing the embedded credential theft payload automatically. SentinelOne blocked the malicious Python execution across multiple environments.

The second attack targeted Axios, the most downloaded HTTP client in the JavaScript ecosystem. The attacker bypassed npm security controls by exploiting a legacy access token that maintainers had forgotten to revoke. A phantom dependency was staged eighteen hours before detonation, allowing the malicious package to be distributed through official channels. The third attack targeted CPU-Z, a trusted system diagnostic tool. Attackers compromised CPUID's distribution infrastructure directly, so anyone who downloaded from the official website received a properly signed binary with a payload inside.

All three attacks exploited the same fundamental gap: authorization was treated as a sufficient security boundary. As SentinelOne's Annual Threat Report noted, "The identity is verified, but the intent has been subverted, rendering traditional access controls ineffective against the resulting supply chain contamination." Signature libraries, IOA rule sets, and reputation lookups all check authorization but none check intent. These attacks were designed to exploit exactly that.

The report emphasizes that AI is compressing attack timelines. In September 2025, Anthropic disclosed a Chinese state-sponsored group that used an AI coding assistant to run a full espionage campaign, with the AI handling 80–90% of tactical operations autonomously. Security programs built around manual-speed adversaries are ill-equipped to handle threats that move at machine speed. The LiteLLM attack is a clear example: an AI agent with install permissions does not stop to ask whether a package looks right—it installs.

SentinelOne's ability to block all three attacks without prior signatures demonstrates a shift in defense strategy. The company argues that traditional vulnerability management, triage queues, and patch cadences assume an attacker who moves at a pace where human response can still close the window. But adversaries are now shifting left, embedding malicious logic in the build process before software ever reaches production. The Verizon 2025 Data Breach Investigations Report found that edge device vulnerabilities are now being mass-exploited at or before the day of CVE publication, while organizations take a median of 32 days to patch them.

The report concludes that the question for security leaders is not whether a supply chain attack is coming, but whether their defense architecture can stop a payload it has never seen before. As trusted agentic automation becomes the norm, the gap where human review processes don't reach grows wider with every AI agent added to a pipeline. SentinelOne's success in stopping these three attacks offers a blueprint for a new approach: one that does not rely on knowing the payload in advance.