26 LLM routers found malicious

A new security study found 26 third-party artificial intelligence routers tampering with agent traffic, including services that stole credentials and injected malicious tool calls. (arxiv.org) These routers sit between an app and a model provider, like a mailroom that opens every package before forwarding it. The paper says they have full plaintext access to tool-calling requests and responses, and that providers do not enforce cryptographic integrity between client and upstream model. (arxiv.org) The researchers, from the University of California, Santa Barbara, University of California, San Diego, Fuzzland, and World Liberty Financial, tested 28 paid routers and 400 free routers. They found one paid router and eight free routers actively injecting malicious code, 17 touching researcher-owned Amazon Web Services canary credentials, and one draining Ether from a researcher-owned private key. (arxiv.org) The paper was posted on arXiv on April 9, 2026, under the title “Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain,” and is slated for presentation at the Association for Computing Machinery Conference on Computer and Communications Security in October 2026. Co-author Chaofan Shou said on X this week that “26 LLM routers are secretly injecting malicious tool calls and stealing creds.” (arxiv.org, coindesk.com) The attack works through software “tools,” which are the buttons an agent can press to run code, move funds, or query a service. If a router alters that tool call in transit, the agent can be tricked into running a different command than the user or developer intended. (arxiv.org) The researchers split the attacks into payload injection and secret exfiltration, then added two harder-to-detect variants: dependency-targeted injection and conditional delivery. In one poisoning experiment, intentionally leaked OpenAI keys and weakly configured decoys processed 2.1 billion tokens from these routers, exposing 99 credentials across 440 Codex sessions. (arxiv.org) The study tied the risk directly to developer and smart-contract workflows, where an agent may hold cloud keys, wallet secrets, or shell access while writing or deploying code. Cointelegraph reported that the examples included cryptocurrency-related flows in which a compromised router could steal private keys or return booby-trapped code. (cointelegraph.com, arxiv.org) The paper also flagged “YOLO mode,” shorthand for autonomous execution settings that let an agent run commands without asking first. The authors wrote that 401 sessions were already running in that mode in their poisoning study, which allowed direct payload injection into live hosts. (arxiv.org) The researchers tested four public agent frameworks with a research proxy they built, then proposed three client-side defenses: a fail-closed policy gate, response-side anomaly screening, and append-only transparency logging. They also wrote that any secret sent through a router should be treated as exposed, because the router normally reads it in plaintext while forwarding traffic. (arxiv.org) The finding lands as developers increasingly use router services to switch among models from companies such as OpenAI, Anthropic, and Google without rewriting their apps. The paper’s closing point is narrower and more concrete: if that middle layer is untrusted, the agent’s tool calls, credentials, and outputs can be altered before they ever reach the model or come back. (arxiv.org, newsbreak.com)