How SentinelOne’s AI EDR Autonomously Discovered and Stopped Anthropic’s Claude from Executing a Zero Day Supply Chain Attack, Globally

On March 24, 2026, Anthropic’s Claude Code autonomously updated the LiteLLM package to a trojaned version that had just been pushed through a supply-chain compromise. The model treated the update as routine dependency management and executed the payload without any human instruction.

The system had been given broad access to package managers and development tools. With that level of permission, its standard reasoning process led it straight into the compromised package as the logical next step in its workflow.

Each action in the chain looked completely legitimate on its own. Updating a package, running the resulting code, and continuing execution are all normal operations. The danger only appeared once the full sequence came together into an outcome the model was never explicitly told to reach.

This incident makes one thing concrete. The real risk in agentic systems now lives inside the decision chain itself, not just at the final output. That chain is exactly what most security tools still cannot track in real time.

Key Terms to Know

Agentic AI
Systems that plan, select tools, and execute multi step actions on their own without requiring human approval for each step.

Supply Chain Compromise
An attacker replaces a trusted software package with a modified version so systems that update automatically pull in malicious code.

Decision Chain
The sequence of reasoning steps and actions an AI system follows from input to outcome, including tool use and execution paths.

Behavioral Detection
A security approach that evaluates patterns of actions over time rather than relying on known signatures or isolated events.

Runtime Reasoning Visibility
The ability to observe and record how an AI system makes decisions while it is operating in production.

The Incident

On March 24, 2026, Anthropic’s Claude Code autonomously updated LiteLLM to version 1.82.7 or 1.82.8. The package had been compromised upstream in a supply-chain attack. The model treated the update as standard dependency management and executed the included code without any human review.

SentinelOne’s AI EDR observed the full sequence form in real time. It caught the behavior in under 44 seconds across 424 events and terminated the process before the payload could establish persistence or move laterally. The detection relied on the pattern of actions rather than any known signature or single malicious command.

Without that interruption the chain would have continued under the same broad permissions the model already held. The system would have completed its normal workflow while quietly installing a systemd service named “sysmon,” waiting five minutes, then initiating command-and-control callbacks every 50 minutes and spinning up privileged Kubernetes pods.

Breaking the Action into Steps

The sequence began with a routine dependency update. Claude selected the latest LiteLLM version, installed it, decoded a base64 bootstrap inside a detached subprocess, and continued execution. Each step fit inside normal behavior for an agent with package-management and code-execution rights.

The danger appeared in how those steps connected. Installation led directly to code execution. Execution spawned new processes. Those processes created persistence and outbound activity. None of the individual transitions triggered an obvious alert on their own.

Security tools that evaluate events in isolation miss exactly this kind of accumulation. The meaningful signal exists in the relationships between steps as they form, not in the properties of any single step after it completes. That is where detection timing shifts from minutes to seconds, and where most environments still have limited visibility.

Where Security Actually Broke

The failure started with how access and permissions were defined from the beginning. The model received continuous authority to retrieve, install, and run external code. No boundary or review existed between those steps. Once Claude identified the LiteLLM update as relevant to its task, the entire chain moved forward automatically under the same broad permissions.

There was no checkpoint that asked whether the package source had changed or whether the behavior still matched the original intent. The system treated the update, installation, and execution as one continuous workflow. That design removed the natural friction that exists in human-driven processes.

Traditional security tools evaluate individual events or known signatures. They do not track how a series of normal-looking actions connect and accumulate into something unintended. In this case the model followed its standard reasoning path using the exact permissions it had been granted. The permissions assumed every step would remain benign even as the combined sequence moved far outside the intended scope. Security focuses on the endpoint where behavior becomes obvious. The real exposure lives earlier in the transitions between steps that security systems rarely observe in real time.

Why This Pattern Keeps Showing Up

Incidents like this follow the same structure because the underlying setup is becoming standard across development and operational environments. Organizations give AI systems broader tool access and execution rights so they can complete complex workflows without constant human intervention. That design choice speeds up work and removes the manual checkpoints that once caught unexpected sequences.

Teams measure success by how much an agent can accomplish without stopping for approval. Every removed review step improves speed and reduces friction. Over time those layers disappear faster than new controls are added. The result is systems that operate as continuous processes rather than discrete auditable steps.

The pattern repeats because the incentives align in one direction. Productivity gains appear immediately and visibly. The risk created by those same permissions only becomes visible after something has already gone wrong. Most security tools remain focused on known threats or final execution points while the actual risk forms inside the decision chains that connect those points.

As more AI coding agents and autonomous systems receive package management rights, code execution privileges, and cloud access, the same quiet accumulation of normal-looking steps appears more frequently. The structure of the Claude incident is not rare. It is the natural outcome of the access model that is now standard.

What Has to Change in Detection

Security teams need to start tracking decision chains in real time instead of waiting for final actions. Agentic systems build long sequences of steps that each look normal on their own. Detection has to follow those sequences as they form and evaluate whether the full chain still aligns with the original task.

This requires a different kind of visibility. Tools must watch how actions connect, how the model selects the next tool, and whether the reasoning path stays consistent with the assigned goal. The moment a chain begins to drift, the system needs the ability to interrupt or isolate it before the sequence moves further.

Traditional telemetry only captures what happened after the fact. It does not show the reasoning behind each choice. Without that layer, security stays one step behind the actual behavior. Real-time chain observation closes that gap and turns detection into something that happens during the process rather than after it completes.

Enforcement also needs to evolve. Permissions can no longer stay static throughout a task. Access to tools and execution environments must adjust dynamically based on how the sequence develops. The system should not carry full authority from the first step all the way through to completion without ongoing reevaluation. That change gives security the ability to stay inside the workflow instead of reacting to it later.