Poisoned at the Source: Inside the LiteLLM Supply Chain Attack Targeting AI Infrastructure

Original research credit: SentinelOne Research — "Securing the Supply Chain: How SentinelOne's AI EDR Stops the Axios Attack Autonomously." CypherByte's analysis builds on and contextualizes those findings for security practitioners and enterprise defenders.

Executive Summary

A global supply chain attack targeting LiteLLM — a widely adopted open-source proxy layer used to unify access to large language model APIs — has surfaced as one of the more tactically sophisticated threats to emerge from the AI tooling ecosystem this year. The attack leveraged a malicious dependency injected through Axios, a near-ubiquitous HTTP client library present in millions of JavaScript and Node.js projects worldwide. Because both libraries sit deep in the dependency trees of AI-centric development environments, the blast radius of a successful compromise is disproportionately large: a single poisoned package can silently propagate to thousands of downstream consumers before a single alert fires.

Security engineers, DevSecOps teams, and any organization building or operating AI-powered applications on Node.js-based stacks should treat this research as an active operational concern — not a theoretical one. The attack reached the pre-execution stage in observed telemetry before being autonomously neutralized. That distinction matters enormously: traditional signature-based controls would have offered little to no protection here. The incident underscores the accelerating need for behavioral, AI-driven endpoint detection capable of reasoning about intent, not just pattern-matching against known-bad file hashes.

Technical Analysis

The attack chain begins with a classic supply chain insertion technique: a threat actor publishes or compromises a package — in this case one masquerading as or injected into the axios dependency graph — seeding malicious code that executes during the standard npm install or module-load lifecycle. LiteLLM, which functions as a proxy and abstraction layer sitting between application code and LLM provider APIs (OpenAI, Anthropic, Cohere, and others), relies on axios for its HTTP transport layer. This makes it an exceptionally high-value target: compromise the transport, and you compromise every API call routed through the proxy.

The payload itself exhibits behavioral characteristics consistent with a staged dropper architecture. Initial execution performs environmental reconnaissance — checking for sandbox indicators, enumerating environment variables likely to contain API keys, and fingerprinting the host. This recon phase is designed to be low-noise and is commonly used to avoid triggering cloud sandbox detonation systems. Subsequent stages, had they reached execution, would have facilitated credential harvesting with a particular focus on LLM provider API keys — credentials that carry direct financial value and can be monetized immediately through resale or direct API abuse.

From a code-level perspective, the attack abuses the postinstall script hook in package.json — a mechanism npm intentionally provides for legitimate setup tasks but which has a long history of abuse in supply chain campaigns. The hook fires automatically when a package is installed, requiring no additional user interaction. Combined with the trusted reputation of the axios namespace, most developers would have no reason to inspect the execution trace of a routine dependency installation. The social engineering surface here is the implicit trust developers extend to popular packages.

Impact Assessment

Affected systems include any environment running Node.js applications that pull LiteLLM or its dependencies via npm, particularly in CI/CD pipelines, containerized development environments, and cloud-hosted AI inference layers. Given axios's staggering download volume — consistently exceeding 50 million weekly npm downloads — even a narrow window of malicious package availability translates to a potentially enormous exposure footprint.

The primary real-world consequences of a successful execution would have included: exfiltration of LLM provider API keys (OpenAI, Anthropic, Cohere, Azure OpenAI, etc.) stored as environment variables; potential lateral movement within cloud-native environments where those credentials carry IAM-adjacent permissions; and persistent access via implanted backdoors in long-lived containerized services. Secondary consequences include reputational damage to AI product teams whose infrastructure was silently compromised, and financial exposure from fraudulent API usage billed to victim accounts.

Organizations running automated dependency update tooling (Dependabot, Renovate, etc.) face compounded risk: these systems are explicitly designed to pull and install updated packages with minimal friction, which is precisely the behavior a supply chain attacker seeks to exploit. The automation that accelerates development also accelerates compromise propagation.

CypherByte's Perspective

This incident is a case study in the evolving threat surface that accompanies rapid AI adoption at the infrastructure layer. As organizations race to integrate LLM capabilities into their products, they are inheriting deep and often poorly-audited dependency graphs. The AI tooling ecosystem — LangChain, LiteLLM, llama_index, openai SDK wrappers, and dozens of adjacent libraries — has grown faster than the security community's capacity to vet it. Threat actors have noticed.

The broader lesson here extends well beyond this specific campaign. Supply chain attacks are fundamentally trust exploitation attacks. They succeed not because defenders are incompetent, but because the entire software development model is built on a foundation of transitive trust — we install packages written by strangers, maintained by volunteers, and distributed through infrastructure we do not control. Until the industry converges on stronger package signing standards, mandatory provenance verification, and real-time behavioral monitoring at the dependency install layer, supply chain insertion will remain an asymmetric attack vector that favors the attacker.

What SentinelOne's research demonstrates — and what CypherByte considers a landmark data point — is that autonomous, AI-driven behavioral EDR can close the gap that signature-based tools leave open. The attack was stopped pre-execution, not because a signature existed, but because the behavioral profile of the execution chain matched threat patterns the AI model had internalized. This is the detection paradigm defenders need to be building toward.

Indicators and Detection

Defenders should instrument their environments to detect the following behavioral and artifact-based indicators associated with this attack class. Note that specific file hashes associated with this campaign should be sourced directly from SentinelOne's published IOCs.

Behavioral Indicators:

• Unexpected network egress originating from node or npm processes during or immediately after package installation
• Environment variable enumeration (reads of process.env in full) occurring within postinstall script execution context
• Child process spawning from npm lifecycle hooks, particularly shells (sh, bash, cmd.exe) invoked by node
• DNS lookups to non-registry domains during npm install execution
• Unusual file writes to node_modules subdirectories outside of expected package paths

Static / Package-Level Indicators:

• Presence of postinstall or preinstall scripts in axios or litellm-adjacent packages — neither should have install hooks under normal circumstances
• Package versions or checksums that do not match published npm registry manifests
• Unexpected dependencies introduced in minor or patch version bumps of trusted packages

Recommendations

CypherByte recommends the following immediate and medium-term actions for security and engineering teams operating in affected environments:

Immediate Actions:

• Audit current LiteLLM and axios versions in all production and development environments. Cross-reference installed versions against official registry checksums using npm audit and npm pack integrity verification.
• Rotate all LLM provider API keys in environments where LiteLLM has been installed or updated in the past 90 days. Treat this as a precautionary measure regardless of whether compromise is confirmed.
• Review CI/CD pipeline logs for anomalous network activity during npm install steps, particularly outbound connections to non-registry endpoints.
• Disable or sandbox postinstall scripts in CI/CD pipelines using npm install --ignore-scripts where application functionality permits.

Medium-Term Hardening:

• Implement a private npm registry (Verdaccio, AWS CodeArtifact, Artifactory) with explicit allow-listing of approved packages and version pinning enforced at the infrastructure level.
• Deploy behavioral EDR with npm/node telemetry coverage across developer workstations, CI runners, and container build environments — not just production endpoints.
• Establish Software Bill of Materials (SBOM) generation as a mandatory step in your build pipeline. Tools like syft or cdxgen can automate this. An SBOM won't prevent an attack, but it dramatically reduces mean time to triage when one occurs.
• Enroll in package integrity monitoring services that alert on unexpected changes to packages your codebase depends on — including transitive dependencies.
• Apply least-privilege credential scoping to all LLM provider API keys. Keys used by proxy layers like LiteLLM should have restricted permissions and hard spending caps enforced at the provider level.

The threat landscape around AI infrastructure is maturing faster than most organizations' security programs can track. Supply chain integrity is no longer a theoretical concern for AI teams — it is an active, monetized attack surface. Defenders who treat npm packages as trusted artifacts without verification are operating on borrowed time.

CypherByte will continue tracking developments in AI supply chain security. This analysis is based on research originally published by SentinelOne Research. All credit for original discovery and telemetry belongs to the SentinelOne threat research team.