SENTINELONE’S macOS agent detected and stopped a LiteLLM supply chain attack in seconds, blocking malicious code automatically without human intervention. According to the report published by SentinelOne, the AI identified suspicious hidden Python code execution via base64 decoding and terminated the process within seconds across hundreds of events.
The attack began when attackers indirectly compromised LiteLLM by breaching trusted tools like Trivy, stealing maintainer credentials to publish malicious versions, with the campaign spreading to other platforms. Two malicious versions ensured execution, one during normal use and the other at Python startup, expanding the attack’s reach even to systems not actively using LiteLLM.
The third stage established persistence through a systemd user service at ~/.config/systemd/user/sysmon[.]service, executing a script at ~/.config/sysmon/sysmon[.]py, with a 5-minute initial delay before any network activity and subsequent contact to its C2 every 50 minutes. The attack also created privileged Kubernetes pods to gain deep access to cluster nodes and deployed backdoors, while stolen data was encrypted and sent to a server designed to look legitimate.