By NHI Mgmt Group Editorial TeamPublished 2026-04-22Domain: Cyber SecuritySource: SentinelOne

TL;DR: Three supply chain attacks against LiteLLM, Axios, and CPU-Z each arrived as a zero-day at execution time and exploited trusted delivery channels, with SentinelOne stopping all three without prior payload knowledge, according to SentinelOne. When authorization becomes automated, trust alone no longer protects AI development pipelines or software distribution paths.


At a glance

What this is: This analysis argues that modern supply chain attacks now exploit trusted channels, automated permissions, and AI-assisted workflows faster than signature-based defenses can react.

Why it matters: IAM and security teams need to treat execution trust, install rights, and delegated tool access as governance problems, because compromised identities can turn trusted software delivery into immediate compromise.

By the numbers:

👉 Read SentinelOne's analysis of supply chain attacks in AI workflows and trusted software channels


Context

Supply chain security fails when organisations assume that trusted software, signed binaries, or authorised automation are safe by default. In AI development pipelines, those assumptions are weaker still because agents can install packages, invoke tools, and propagate changes without the friction that human review normally adds.

The identity dimension is real here: compromised credentials, legacy tokens, and excessive install permissions are what turn a supply chain event into a fast-moving intrusion. For IAM, PAM, and NHI programmes, this is a governance problem about who or what can act in trusted delivery paths, not just a malware detection problem.


Key questions

Q: How should security teams stop supply chain attacks in AI development workflows?

A: Security teams should narrow automation rights, isolate package installation from execution, and add runtime controls that can block abnormal process behaviour before code reaches production. In AI workflows, the important question is not only whether a source is trusted, but whether the agent or pipeline still has valid authority to act at the moment it executes.

Q: Why do trusted software channels still create breach risk?

A: Trusted channels still create breach risk because attackers target the identity and delivery path, not just the payload. If a registry token, publishing credential, or vendor distribution path is compromised, malicious code can arrive looking legitimate and execute before signature-based controls or manual review can identify the change.

Q: What do security teams get wrong about automated agent permissions?

A: Teams often treat automation permissions as harmless because the system is executing approved tasks. In practice, broad permissions turn the agent into a high-speed attacker if its identity or supply chain is compromised. The failure is assuming that authorised execution is the same thing as safe execution.

Q: Who is accountable when an AI agent or build pipeline introduces malicious code?

A: Accountability sits with the teams that granted the agent, service account, or CI/CD pipeline its authority and failed to govern its lifecycle. That means IAM, platform engineering, security, and application owners all need clear control ownership for install rights, token revocation, and runtime containment.


Technical breakdown

How trusted delivery channels become attack paths

Supply chain attacks succeed by abusing a channel that defenders already trust, such as package registries, vendor update paths, or signed software distribution. The technical trick is not always code sophistication. It is the insertion of malicious logic into a legitimate delivery mechanism so execution happens under normal operating assumptions. In AI development workflows, that can mean an agent auto-installing a package, a build tool pulling a dependency, or a signed binary being accepted without deeper inspection. Signature-based controls help only when the payload is already known. They do not stop first-seen abuse of a trusted source.

Practical implication: inspect the trust path itself, not just the payload, and restrict where automated build and agentic systems are allowed to fetch code.

Why automated permissions change the risk model for AI agents

An AI agent with install or execution permissions does not pause for suspicion. It treats its permissions as instructions and runs whatever those permissions allow, which collapses the human review step that traditionally interrupts suspicious activity. That creates a different failure mode from ordinary software compromise: the agent becomes the delivery vehicle for the attack. When the agent also has access to secrets, package managers, or CI/CD tooling, the blast radius expands quickly. In identity terms, the problem is not just authentication. It is the absence of task-scoped authorisation and runtime containment for non-human actors.

Practical implication: constrain AI agent permissions to the narrowest task scope and separate install rights from secret access and code execution.

Why behavioural detection matters when no signature exists

The article’s examples show why defence cannot depend on hashes, indicators of compromise, or reputation alone. A malicious package can be new, signed, or otherwise invisible to pre-existing rule sets, yet still behave in ways that are clearly abnormal for its process context. Behavioural engines look at execution chains, child processes, interpreter abuse, and anomalous command invocation. That matters in supply chain compromise because the attacker’s first goal is often to execute before human triage. The best defensive signal is the mismatch between what the process should do and what it actually starts doing at runtime.

Practical implication: add runtime behavioural controls that can stop suspicious process chains before a human analyst reviews them.


Threat narrative

Attacker objective: The attacker wants to convert trusted software delivery or delegated automation into immediate code execution, credential theft, and downstream compromise.

  1. Entry occurs through a trusted supply chain channel, such as a compromised package registry, legacy token, or vendor distribution path.
  2. Escalation happens when the malicious payload runs under legitimate credentials or in an AI workflow with unrestricted permissions, allowing execution without user friction.
  3. Impact follows when the payload steals credentials, executes arbitrary code, or establishes further access before detection tools can rely on signatures or prior intelligence.

NHI Mgmt Group analysis

Trusted delivery has become an identity problem, not only a malware problem. The article shows that the decisive control gap is not whether software is signed or whether a source is known, but whether the identity behind the delivery path is still trustworthy at execution time. When a legacy token, automated agent, or compromised publishing credential can act inside a trusted channel, the security model has already failed. Practitioner conclusion: treat delivery identities as governed assets with lifecycle controls, not static permissions.

AI agent install rights create a standing-privilege problem inside software pipelines. The interesting change is not that agents can run tools, but that they can do so faster than human review can intervene. That makes install permissions, package fetch rights, and secret access a single governance surface. Practitioner conclusion: if an agent can both decide and execute, then the programme needs task-scoped privilege and runtime containment, not broad automation approval.

Static trust controls cannot keep pace with machine-speed exploitation. The report’s core lesson is that signatures, reputation checks, and manual triage all assume a defender can react before the payload matters. That assumption breaks when the attack executes in seconds and the compromise originates from a trusted source. Practitioner conclusion: runtime behavioural detection must sit alongside identity governance, because trusted access paths now carry untrusted intent.

Continuous authorisation is the right mental model for agentic supply chain defence. Once automation is allowed to fetch, install, and execute, the question becomes whether the action should still be valid at the moment of use. That is a Zero Standing Privilege problem applied to software delivery and agentic tooling. Practitioner conclusion: make authorisation ephemeral, contextual, and revocable before the next execution step.

Detection latency is now a governance metric. If a payload can execute before a human analyst sees the event, then the programme is measuring the wrong thing by focusing only on after-the-fact investigation. The defender must know whether runtime controls can stop first-seen behaviour at the point of execution. Practitioner conclusion: include runtime containment and mean-time-to-block in board-level reporting, not only detection coverage.

What this signals

Runtime containment is becoming the control plane for machine-speed supply chain defence. Once AI agents and build automation can execute faster than human review, the programme has to prioritise controls that stop suspicious behaviour at the point of execution. That changes the operating model for IAM, PAM, and platform security because authority must now expire with the task, not persist across the pipeline.

Credential lifecycle discipline is now directly tied to software integrity. Forgotten registry tokens, stale publishing secrets, and over-broad automation rights can turn a routine update into a compromise path. Security leaders should expect more pressure to prove who can publish, who can install, and which trusted channels remain open to machine actors, not just humans.

Detection and governance are converging around the same problem: intent cannot be inferred from trust alone. A signed binary, approved agent, or authorised build step can still be malicious in practice, so teams need runtime policy and identity controls that evaluate action context continuously. For programmes using AI agents, this is where NHI governance and operational security start to overlap.


For practitioners

  • Separate install rights from execution rights Remove blanket install permissions from AI coding agents, build runners, and developer service accounts. Require just-in-time elevation for package installation and keep execution paths isolated from secret stores and publishing credentials.
  • Revoke and inventory publishing tokens continuously Treat package registry tokens, CI/CD credentials, and vendor distribution secrets as lifecycle-managed assets. Build a review process that flags legacy or forgotten tokens before they can be used in a trusted supply chain path.
  • Add behavioural controls at runtime Use telemetry that watches process ancestry, interpreter spawning, anomalous child processes, and unusual command execution. Configure prevention so suspicious chains are blocked before a human analyst has to validate the event.
  • Constrain AI agents to task-scoped trust boundaries Define which registries, repositories, tools, and operating contexts an AI agent can use, and make those permissions expire with the task. Do not allow an agent to inherit broad developer or production access by default.
  • Measure trust-path exposure, not just malware prevalence Track how many build systems, agents, and developer tools can fetch or execute from untrusted sources without a secondary check. That gives you a clearer view of where a trusted channel can become an attack path.

Key takeaways

  • Supply chain compromise is increasingly an identity and authorisation failure, not just a malware event.
  • Machine-speed attacks can execute before signatures, triage, or human approval can intervene, which makes runtime control essential.
  • Security teams need task-scoped permissions, continuous token hygiene, and behavioural blocking in the pipeline itself.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03NHI-03 maps to credential and token governance, central to compromised delivery paths.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementThe attacks use stolen credentials and trusted channels to move from access to broader compromise.
NIST CSF 2.0PR.AC-4Least-privilege and access governance directly apply to agent and pipeline permissions.
NIST SP 800-53 Rev 5IA-5Authenticator management governs the lifecycle of tokens used in package and publishing paths.
NIST AI RMFMANAGEAI RMF Manage fits the need to control downstream risk from autonomous or semi-autonomous tools.

Map delivery-path abuse to credential access and lateral movement, then harden controls around token use and execution.


Key terms

  • Supply Chain Attack: A supply chain attack compromises software, vendors, or delivery infrastructure so malicious code reaches victims through a path they already trust. The risk is not only in the payload, but in the legitimacy of the channel used to distribute or execute it.
  • Runtime Behavioural Detection: Runtime behavioural detection identifies suspicious activity by observing what a process does after execution begins, rather than matching a known signature or hash. It is valuable when attackers use new payloads, trusted channels, or signed binaries that appear legitimate until they start behaving abnormally.
  • Task-Scoped Privilege: Task-scoped privilege grants access only for the specific action and duration required to complete a job. For AI agents and automation, it reduces the chance that broad, persistent permissions can be abused if credentials, tools, or workflows are compromised.
  • Trusted Delivery Path: A trusted delivery path is a software distribution route that organisations allow by default, such as a package registry, update server, or vendor download site. Attackers target these paths because compromise there can bypass many controls that focus on the payload rather than the source.

What's in the full article

SentinelOne's full analysis covers the operational detail this post intentionally leaves for the source:

  • Process-tree evidence and runtime telemetry behind each detection, including the LiteLLM, Axios, and CPU-Z execution chains.
  • The exact malicious behaviours observed at the edge, including interpreter abuse, anomalous PowerShell execution, and suspicious child-process patterns.
  • How the platform responded across different environments and what policies were required for prevention versus detection.
  • The report's incident-by-incident breakdown of why the trusted channel mattered more than the payload signature.

👉 SentinelOne's full analysis covers the attack chains, behavioural detections, and policy conditions behind each stop.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners who need to connect identity controls to modern automation and access governance.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-22.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org