Full Report
Read our blog post to learn how SentinelOne’s AI EDR autonomously stopped a global LiteLLM supply chain attack before execution.
Analysis Summary
# Incident Report: LiteLLM Supply Chain Attack (Axios Poisoning)
## Executive Summary
A supply chain attack targeted the `litellm` library by introducing a malicious dependency on a poisoned version of the popular `axios` package. The attack aimed to execute a zero-day exploit and establish a persistent backdoor within environments using the LiteLLM framework. SentinelOne’s AI-powered EDR autonomously detected and blocked the malicious execution globally before the attack could manifest.
## Incident Details
- **Discovery Date:** March 31, 2026 (Reported)
- **Incident Date:** Late March 2026
- **Affected Organization:** Users of LiteLLM (Global impact)
- **Sector:** Technology / Artificial Intelligence / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026
- **Vector:** Supply Chain Compromise
- **Details:** Attackers injected a malicious version of the `axios` library into the dependency tree of the `litellm` package, a popular proxy for LLM APIs.
### Lateral Movement
- **Details:** The attack was designed to gain an initial foothold on systems running AI workloads. While internal lateral movement was the likely subsequent goal, the incident was mitigated at the endpoint level before movement occurred.
### Data Exfiltration/Impact
- **Details:** No data exfiltration was reported due to autonomous blocking. The intended impact was the execution of a zero-day payload and the establishment of an unauthorized backdoor into AI development environments.
### Detection & Response
- **How it was discovered:** SentinelOne’s AI EDR identified anomalous behavioral patterns during the execution of the poisoned dependency.
- **Response actions taken:** The Star-W automated engine killed the malicious processes and quarantined the affected files across all protected global environments simultaneously.
## Attack Methodology
- **Initial Access:** Supply Chain (Dependency Poisoning).
- **Persistence:** Attempted installation of a persistent backdoor via the poisoned `axios` package.
- **Defense Evasion:** Use of a trusted, legitimate-looking library name (`axios`) to bypass manual code review and traditional signature-based scanners.
- **Discovery:** Automated scanning of Python/Node environments for API keys and environment variables.
- **Impact:** Remote Code Execution (RCE) and system compromise.
## Impact Assessment
- **Financial:** Minimal; avoided potentially massive costs associated with a full-scale AI infrastructure breach.
- **Data Breach:** None reported; prevented theft of sensitive LLM prompts or API keys.
- **Operational:** Low; autonomous remediation prevented downtime for affected organizations.
- **Reputational:** High risk to the LiteLLM project, mitigated by rapid discovery and public disclosure.
## Indicators of Compromise
- **File indicators:** Poisoned `axios` package versions (specific hashes not listed in text but identified by EDR).
- **Behavioral indicators:** `litellm` initiating unexpected child processes; unauthorized outbound network connections to unknown C2 during library initialization.
## Response Actions
- **Containment:** Automated process termination and file quarantine by EDR agents.
- **Eradication:** Removal of the poisoned dependency from affected environments.
- **Recovery:** Notification to the community and clean-up of development registries.
## Lessons Learned
- **Key takeaways:** Supply chain attacks remain a primary threat to AI development stacks, which often rely on deep trees of open-source dependencies.
- **What could have been done better:** Stricter pinning of dependency versions and the use of hash verification for all sub-dependencies can reduce exposure to "latest version" poisoning.
## Recommendations
- **Inventory Management:** Conduct regular audits of AI-related software bills of materials (SBOM).
- **Zero-Trust for Dependencies:** Treat all third-party libraries as untrusted until verified.
- **Behavioral Monitoring:** Ensure EDR solutions are configured to monitor process behaviors of development tools, not just standard office applications.
- **Defang URLs/IPs:** Always use safe-listing and defanged formats for IoCs during investigation (e.g., `hxxp[://]malicious[.]site`).