The LiteLLM attack marks a shift in the SDLC: attackers are now targeting the AI agents developers rely on. Learn how to secure your agentic supply chain with JFrog.

JFrog is a leading provider of DevOps and software distribution solutions, offering tools for artifact management, continuous integration, and binary repositories. Developers can learn about software delivery pipelines, artifact management best practices, and CI/CD automation to accelerate their software delivery process and ensure reliable and secure software releases using JFrog's platform.

JFrog

The LiteLLM supply chain attack of March 2026 marks a significant escalation in attacker tactics: instead of targeting developers directly, threat actors are now compromising the AI infrastructure that developers' agents depend on. TeamPCP exploited an unpinned Trivy GitHub Action in LiteLLM's CI/CD pipeline to steal a PyPI publish token, then released two malicious versions that harvested cloud credentials, attempted lateral movement across Kubernetes clusters, and installed a persistent backdoor. With 3.4 million daily downloads and presence in 36% of cloud environments, the malicious versions were live for ~3 hours before detection. The attack was first noticed when it was pulled as a transitive dependency inside a Cursor MCP plugin. The post traces a pattern from the Shai-Hulud npm worm to the postmark-mcp malicious MCP server to LiteLLM, arguing that the agentic supply chain requires the same governance rigor as traditional software supply chains. JFrog promotes its AI Catalog, AI Gateway, and MCP Registry as solutions for enforcing trust before agents execute unvetted packages or connect to unverified MCP servers.

From Shai-Hulud to LiteLLM: Supply Chain Attackers Are Coming for Your Agents

The SDLC Is Changing – and So Is the Attack Surface

The LiteLLM Attack: A New Level of Sophistication

How JFrog Helps Protect your Agentic Supply Chain