How SentinelOne’s AI EDR Autonomously Discovered and Stopped Anthropic’s Claude from Executing a Zero Day Supply Chain Attack, Globally

SentinelOne reported a critical supply chain attack targeting AI infrastructure involving the compromise of the LiteLLM Python package. The threat actor, tracked as TeamPCP, initially compromised the Trivy security scanner to steal maintainer credentials, subsequently publishing malicious versions of LiteLLM on PyPI. The campaign aimed to execute malicious Python code, establish persistence, move laterally within Kubernetes environments, and exfiltrate data. The attacker utilized base64-encoded payloads to evade signature detection. SentinelOne's autonomous EDR detected and blocked the behavioral patterns associated with the trojaned package across multiple customer environments without manual intervention. The attack also impacted Checkmarx KICS, AST, and Telnyx. This incident highlights the risks of transitive trust in open-source supply chains and the necessity of AI-native defense mechanisms to counter machine-speed attacks. Organizations are advised to monitor supply chain dependencies and employ behavioral detection capabilities to mitigate similar threats.

Read our blog post to learn how SentinelOne’s AI EDR autonomously stopped a global LiteLLM supply chain attack before execution.

SentinelOne reported a critical supply chain attack targeting AI infrastructure involving the compromise of the LiteLLM Python package. The threat actor, tracked as TeamPCP, initially compromised the Trivy security scanner to steal maintainer credentials, subsequently publishing malicious versions of LiteLLM on PyPI. The campaign aimed to execute malicious Python code, establish persistence, move laterally within Kubernetes environments, and exfiltrate data. The attacker utilized base64-encoded payloads to evade signature detection. SentinelOne's autonomous EDR detected and blocked the behavioral patterns associated with the trojaned package across multiple customer environments without manual intervention. The attack also impacted Checkmarx KICS, AST, and Telnyx. This incident highlights the risks of transitive trust in open-source supply chains and the necessity of AI-native defense mechanisms to counter machine-speed attacks. Organizations are advised to monitor supply chain dependencies and employ behavioral detection capabilities to mitigate similar threats. Read our blog post to learn how SentinelOne’s AI EDR autonomously stopped a global LiteLLM supply chain attack before execution. Host-based Behavioral Autonomous AI Detection is by far the most effective way to generically see, and stop both Human and/or machine-speed AI Agent based rogue or malicious activities. On March 24, 2026, SentinelOne’s autonomous detection caught what manual workflows never could have: a trojaned version of LiteLLM, one of the most widely used proxy layers for LLM API calls, executing malicious Python across multiple customer environments. The package had been compromised hours earlier. No analyst wrote a query. No SOC team triaged an alert. The Singularity Platform identified and blocked the payload before it could run, across every affected environment, on the same day the attack was launched. The LiteLLM supply chain compromise is not an anomaly. It is the new pattern: multi-stage, multi-surface, designed to evade manual workflows at every turn. A compromised security tool led to a compromised AI package, which led to data theft, persistence, Kubernetes lateral movement, and encrypted exfiltration, all within a window measured in hours. SentinelOne detected and blocked this attack autonomously, on the same day it was launched, across multiple customer environments. No manual triage. No signature update. No analyst in the loop for the initial containment. This is what autonomous, AI-native defense looks like when it meets a real-world threat at machine speed. The gap between the velocity of this attack and the capacity of human-driven investigation is the gap where organizations get compromised. Closing that gap is not a feature request. It is an architectural decision. This is what happens when AI infrastructure gets targeted by a multi-stage supply chain campaign, and what it looks like when autonomous, AI-native defense is already in position. Here is what we detected, how the attack was structured, and why this is the class of threat that the Singularity Platform was built to stop. Autonomous Detection at Machine Speed SentinelOne’s macOS agent identified and preemptively killed a malicious process chain originating from Anthropic’s Claude Code running with unrestricted permissions ( claude --dangerously-skip-permissions ). No human developer ran pip install , an autonomous AI coding assistant updated LiteLLM to the compromised version as part of its normal workflow. The AI engine classified the behavior as MALICIOUS and took immediate action: KILLED (PREEMPTIVE) across 424 related events in under 44 seconds. The agent didn’t need to know the package was compromised, it watched what the process did and stopped it based on behavior, regardless of what initiated the install. Catching the Payload in the Act The macOS agent caught the trojaned LiteLLM package mid-execution. The process summary tells the story: python3.12 launching with a command line containing import base64; exec(base64.b64decode(... , the exact bootstrap mechanism described in the attack’s first stage, decoding and executing the obfuscated payload in a child process. The agent didn’t need a signature for this specific package. It recognized the behavioral pattern, a Python interpreter executing base64-decoded code in a spawned subprocess, classified it as MALICIOUS , and killed it preemptively before the stealer, persistence, or lateral movement stages could deploy. The Full Process Tree: Containing the Blast Radius Zooming out on the same detection reveals the full scope of what the autonomous AI agent was doing when the payload fired. The process tree expands from Claude Code (2.1.81) into a sprawling chain: zsh, bash, node, uv, ssh, rm, python3.12, mktemp , with hundreds of child events still loadable (304 events captured). This is what unrestricted AI agent activity looks like at the endpoint level: a single command spawning an entire dependency...