Two AI Supply Chain Attacks in Eight Days — Through Runtime Detection's Lens
axios npm and LiteLLM PyPI both compromised within an eight-day window. Honest walkthrough of what ATR rules would surface if either payload fired inside an instrumented runtime.
Eight days, two high-profile AI supply-chain compromises in the open ecosystem. Honest framing first: ATR is a runtime detection layer, not install-time SCA. We did not detect either attack in real-time. What follows is what our rules would surface if the payload fired inside an instrumented agent runtime.
axios npm Compromise (2026-03-31)
Per Microsoft Threat Intelligence, attribution went to Sapphire Sleet. The compromise window was three hours. axios sees 100M+ weekly downloads.
Mechanism: a fake [email protected] dependency was inserted as a transitive, post-install autorun. The payload was a cross-platform RAT covering macOS, Windows, and Linux. The malicious version was published and pulled within a 39-minute window before community reporting caught it.
ATR rules that fire on the runtime trace:
- ●
ATR-2026-00204— stealth-execution-persistence (post-install autorun on a non-binary package) - ●
ATR-2026-00152— obfuscated-credential-leak (RAT exfil chain) - ●
ATR-2026-00041— scope-creep (cryptography library reaching for shell) - ●
ATR-2026-00111— shell-escape - ●
ATR-2026-00126— skill-rug-pull-setup (benign-on-publish, malicious-on-update pattern)
LiteLLM PyPI Backdoor (2026-03-24)
Per Datadog Security Labs, attribution went to TeamPCP. The compromise window was forty minutes. LiteLLM sees 3.4M daily downloads.
Mechanism: a malicious litellm_init.pth file was placed in the site-packages directory. .pth files auto-execute on every Python startup — extremely quiet persistence. Payload stole kubectl secrets, spawned an alpine pod for lateral movement, and installed a persistent backdoor at /root/.config/sysmon/sysmon.py.
ATR rules that fire on the runtime trace:
- ●
ATR-2026-00204— stealth-execution-persistence (.pthautorun) - ●
ATR-2026-00152— obfuscated-credential-leak (kubectlsecret extraction) - ●
ATR-2026-00040— privilege-escalation (alpine pod spawn for lateral movement) - ●
ATR-2026-00041— scope-creep - ●
ATR-2026-00112— dynamic-import-exploitation - ●
ATR-2026-00111— shell-escape
Three Takeaways
1. Install-time defence is necessary but not sufficient. Both attacks beat install-time SCA in the publish-to-detection window. SCA + behavioural runtime detection is the realistic posture.
2. Runtime detection is the second layer. Once the payload runs, deterministic rules on syscalls, network destinations, and persistence writes are vendor-neutral and language-neutral. ATR rules are written against the behaviour, not the package name.
3. Rules are vendor-neutral. Same ATR-2026-00204 fires on Anthropic Skills, MCP servers, npm post-install, PyPI .pth. The detection layer doesn't care which ecosystem the package came from.
What This Doesn't Claim
We did not catch axios or LiteLLM live. Community reporting did, on both. The value of writing this post is to show what rules look like when applied to known incidents, so future incidents in instrumented environments have a faster detection contract to compare against.
Microsoft on axios · Datadog on LiteLLM · Elastic Security Labs · ATR rule corpus