Full Report
SentinelOne stops LiteLLM supply chain attack in real time, attackers weaponize Axios to deploy RAT, and Chrome zero-day enables RCE.
Analysis Summary
# Incident Report: LiteLLM Supply Chain Compromise & Weaponized Axios Attack
## Executive Summary
In early April 2026, security researchers identified a sophisticated supply chain attack targeting the popular AI proxy server LiteLLM. Attackers weaponized a malicious version of the "Axios" library to deploy a Remote Access Trojan (RAT) and establish persistence. SentinelOne’s AI-powered EDR successfully detected and blocked the execution of the malicious payload in real-time, preventing widespread compromise of AI infrastructure.
## Incident Details
- **Discovery Date:** April 2, 2026
- **Incident Date:** Late March to Early April 2026
- **Affected Organization:** LiteLLM (Users/Maintainers)
- **Sector:** Technology / Artificial Intelligence
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Circa March/April 2026
- **Vector:** Supply Chain Attack (Dependency Confusion/Typosquatting)
- **Details:** Attackers uploaded a compromised version of a dependency (modeled after the popular Axios library) to public package registries, which was subsequently integrated into the LiteLLM development environment or user installations.
### Lateral Movement
- **Details:** Following the execution of the malicious script, the malware attempted to perform internal reconnaissance of the host machine to identify network shares and adjacent AI services for further propagation.
### Data Exfiltration/Impact
- **Details:** The primary impact was the deployment of a Remote Access Trojan (RAT) capable of executing arbitrary code. While large-scale data exfiltration was blocked, the potential scope included theft of AI API keys, internal model configurations, and proprietary training data.
### Detection & Response
- **How it was discovered:** SentinelOne’s AI-powered behavioral engine flagged anomalous process spawning originating from a standard Node.js dependency.
- **Response actions taken:** The Singularity platform autonomously killed the malicious processes, quarantined the weaponized files, and alerted the LiteLLM community to revert to clean package versions.
## Attack Methodology
- **Initial Access:** Supply Chain Compromise via weaponized "Axios" package.
- **Persistence:** Implementation of a Remote Access Trojan (RAT) designed to persist across system reboots via scheduled tasks/cron jobs.
- **Defense Evasion:** Use of a legitimate, widely-trusted library name (Axios) to mask malicious code within thousands of lines of boilerplate library code.
- **Discovery:** Automated reconnaissance scripts to identify environmental variables (specifically AI API keys).
- **Exfiltration:** Establishment of a Command and Control (C2) channel to relay system information.
- **Impact:** Potential full system takeover and exposure of sensitive LLM (Large Language Model) gateways.
## Impact Assessment
- **Financial:** High potential cost related to stolen API credits and service downtime.
- **Data Breach:** Exposure of AI credentials and prompt/response history.
- **Operational:** Disruption to AI application development pipelines.
- **Reputational:** Significant impact on trust within the open-source AI community.
## Indicators of Compromise
- **Network Indicators:**
- C2 Communication to: `hxxps[://]attacker-c2-domain[.]com`
- Unusual outbound traffic on port 443 from Node.js processes.
- **File Indicators:**
- Malicious `axios` package versions (check package hashes).
- Dropped RAT binary: `[Hash-Blocked-by-EDR]`
- **Behavioral Indicators:**
- `npm` or `pip` install processes spawning unexpected shell commands.
- Post-install scripts attempting to modify system startup files.
## Response Actions
- **Containment:** Automated process termination by Singularity EDR.
- **Eradication:** Deletion of malicious node_modules and clearing of local package caches.
- **Recovery:** Re-installation of verified, signed dependencies from official repositories.
## Lessons Learned
- **Dependency Blindness:** Standard security tools often ignore "trusted" packages like Axios, highlighting the need for behavioral monitoring over static analysis.
- **AI Infrastructure Vulnerability:** AI proxy tools like LiteLLM are high-value targets because they centralize access to multiple expensive API providers.
## Recommendations
- **Lockfile Integrity:** Always use `package-lock.json` or `yarn.lock` to ensure exact versioning.
- **Dependency Auditing:** Regularly run `npm audit` and utilize SCA (Software Composition Analysis) tools.
- **Runtime Protection:** Deploy behavioral-based EDR/XDR to catch execution of malicious code even when the source appears legitimate.
- **Network Segmentation:** Isolate AI gateway servers from sensitive internal databases.