Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Supply chain attacks in AI workflows - is your defence ready?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Three supply chain attacks against LiteLLM, Axios, and CPU-Z each arrived as a zero-day at execution time and exploited trusted delivery channels, with SentinelOne stopping all three without prior payload knowledge, according to SentinelOne. When authorization becomes automated, trust alone no longer protects AI development pipelines or software distribution paths.

NHIMG editorial — based on content published by SentinelOne: analysis of supply chain attacks against LiteLLM, Axios, and CPU-Z

By the numbers:

Questions worth separating out

Q: How should security teams stop supply chain attacks in AI development workflows?

A: Security teams should narrow automation rights, isolate package installation from execution, and add runtime controls that can block abnormal process behaviour before code reaches production.

Q: Why do trusted software channels still create breach risk?

A: Trusted channels still create breach risk because attackers target the identity and delivery path, not just the payload.

Q: What do security teams get wrong about automated agent permissions?

A: Teams often treat automation permissions as harmless because the system is executing approved tasks.

Practitioner guidance

  • Separate install rights from execution rights Remove blanket install permissions from AI coding agents, build runners, and developer service accounts.
  • Revoke and inventory publishing tokens continuously Treat package registry tokens, CI/CD credentials, and vendor distribution secrets as lifecycle-managed assets.
  • Add behavioural controls at runtime Use telemetry that watches process ancestry, interpreter spawning, anomalous child processes, and unusual command execution.

What's in the full article

SentinelOne's full analysis covers the operational detail this post intentionally leaves for the source:

  • Process-tree evidence and runtime telemetry behind each detection, including the LiteLLM, Axios, and CPU-Z execution chains.
  • The exact malicious behaviours observed at the edge, including interpreter abuse, anomalous PowerShell execution, and suspicious child-process patterns.
  • How the platform responded across different environments and what policies were required for prevention versus detection.
  • The report's incident-by-incident breakdown of why the trusted channel mattered more than the payload signature.

👉 Read SentinelOne's analysis of supply chain attacks in AI workflows and trusted software channels →

Supply chain attacks in AI workflows - is your defence ready?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Trusted delivery has become an identity problem, not only a malware problem. The article shows that the decisive control gap is not whether software is signed or whether a source is known, but whether the identity behind the delivery path is still trustworthy at execution time. When a legacy token, automated agent, or compromised publishing credential can act inside a trusted channel, the security model has already failed. Practitioner conclusion: treat delivery identities as governed assets with lifecycle controls, not static permissions.

A question worth separating out:

Q: Who is accountable when an AI agent or build pipeline introduces malicious code?

A: Accountability sits with the teams that granted the agent, service account, or CI/CD pipeline its authority and failed to govern its lifecycle. That means IAM, platform engineering, security, and application owners all need clear control ownership for install rights, token revocation, and runtime containment.

👉 Read our full editorial: Supply chain attacks now reach AI workflows at machine speed



   
ReplyQuote
Share: