From Shai-Hulud to LiteLLM: Supply Chain Attackers Are Coming for Your Agents

The LiteLLM supply chain compromise of March 2026 highlights an evolving threat landscape where attackers shift focus from developers to AI agents that developers rely on, showcasing a new level of sophistication in supply chain attacks. This incident, orchestrated by TeamPCP, involved compromising the LiteLLM package, a critical component in the AI ecosystem, by exploiting unpinned dependencies in its CI/CD pipeline to inject malicious payloads. These payloads harvested sensitive credentials and attempted lateral movement across systems, demonstrating the significant risk associated with AI infrastructure packages. The attack underscores the vulnerabilities inherent in open-source AI gateways, which serve as central routing layers between applications and LLM APIs, making them attractive targets for attackers. In response, JFrog emphasizes the importance of governing AI agentic supply chains with enterprise-grade controls, introducing solutions like the JFrog AI Gateway and MCP Registry to enforce security policies and prevent such compromises. These tools aim to replace blind trust in open-source components with a secure, policy-enforced framework that ensures AI assets are vetted before integration, aligning with the broader vision of a Trusted Agentic Supply Chain.