![The Rise of [ X H Ł V K ∅ N ]: Decoding the New Villains of Sky Shaker](https://thephillypi.com/wp-content/uploads/2026/04/Codename-Sky-Shaker-Promotional-Press-Kit-Key-Art-330x220.jpg "The Rise of [ X H Ł V K ∅ N ]: Decoding the New Villains of Sky Shaker")
SentinelOne AI stopped a LiteLLM supply chain attack in seconds, blocking malicious code automatically without human intervention.
SentinelOne’s AI-based security detected and blocked a supply chain attack involving a compromised LiteLLM package.
SentinelOne’s macOS agent detected and stopped a malicious process chain triggered by Claude Code after it unknowingly installed a compromised LiteLLM package. The AI identified suspicious hidden Python code execution via base64 decoding, and killed the process within seconds across hundreds of events. The system traced the full process chain triggered by an AI agent and prevented data theft or further spread, showing the power of autonomous, behavior-based defense.
Attackers indirectly compromised LiteLLM by first breaching trusted tools like Trivy, stealing maintainer credentials to publish malicious versions. The campaign also hit other platforms, showing how open-source trust can be abused. In one case, an AI coding assistant unknowingly installed the infected package, highlighting a new risk: AI agents with full system access can spread attacks automatically.
“SentinelOne’s behavioral detection operates below the application layer. It does not matter whether a malicious package is installed by a human, a CI pipeline, or an AI agent.” reads the report published by SentinelOne. “The platform monitors process behavior via the Endpoint Security Framework, which is why this detection fired regardless of how the infected package arrived.”
EXPLORE MORE
OnlyFans owner Leonid Radvinsky dead at 43
OnlyFans owner Leonid Radvinsky has died. He was 43 years old. In…
The ‘Donbas Deal’: Is Russia Ready to Stop the War for One Specific Region?
The war in Ukraine has been going on for years, but today,…
Little Red: Epic Combat Meets Enchanted Fairy Tale Magic
Little Red is on the way, mixing beloved storybook magic with exciting…
Planet Labs Issues Retroactive Ban on Iran Conflict Imagery
In the age of "Open Source Intelligence" (OSINT), we’ve grown accustomed to…
U.S. CISA adds a flaw in Citrix NetScaler to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in…
It’s a mystery … alleged unpatched Telegram zero-day allows device takeover, but Telegram denies
A critical Telegram flaw could allow zero-click remote code execution on devices,…
Two malicious versions ensured execution, one during normal use, the other at Python startup, expanding the attack’s reach even to systems not actively using LiteLLM.
The LiteLLM attack began with a small, obfuscated script that launched silently, followed by a data stealer that collected system info, credentials, crypto wallets, and secrets. The malware then ensured persistence by installing a disguised system service that ran in the background and contacted its command server at long intervals to avoid detection.
“The third stage established persistence through a systemd user service at ~/.config/systemd/user/sysmon.service, executing a script at ~/.config/sysmon/sysmon.py.” continues the report. “The persistence mechanism included a 5-minute initial delay before any network activity, a technique specifically designed to outlast automated sandbox analysis. After that, the script contacted its C2 server every 50 minutes, fetching dynamic payload URLs.”
The attack expanded beyond the initial machine by creating privileged Kubernetes pods, gaining deep access to cluster nodes and deploying backdoors. Stolen data was encrypted and sent to a server designed to look legitimate, helping it bypass monitoring. Overall, the attack shows how modern threats combine stealth, automation, and multiple layers to move quickly and evade traditional defenses.
“The LiteLLM detection wasn’t a one-off. It’s what happens when autonomous, behavioral AI is built into the foundation, not bolted on after the fact.” concludes the report.
