LLM routers found injecting malware

A language model router is the traffic cop that sits between an application and the model it actually uses, and this week a new paper said some of those traffic cops were rewriting the traffic. The researchers reported that 26 routing services injected malicious tool calls, touched canary credentials, and in one case drained cryptocurrency from a planted wallet. (arxiv.org) That matters because a router does not just forward text. The paper says these services can read and modify every JavaScript Object Notation payload in plaintext before it reaches the upstream model, which turns a trusted middle layer into a supply-chain risk. (arxiv.org) A tool call is the part where a model stops talking and starts doing something, like running code, reading a file, or calling an application programming interface. If a router silently swaps in a different tool call, the model can be tricked into handing over secrets or executing attacker-chosen commands. (modelcontextprotocol.io) The researchers split the attacks into two buckets. One bucket was payload injection, where the router rewrote a tool request into a malicious command, and the other was secret exfiltration, where the router nudged the system into exposing credentials. (arxiv.org) They tested 28 paid routers bought through Taobao, Xianyu, and Shopify storefronts, plus 400 free routers collected from public communities. Across that set, they found 1 paid router and 8 free routers actively injecting malicious code, 2 using adaptive evasion tricks, 17 touching Amazon Web Services canary credentials, and 1 draining Ether from a researcher-controlled private key. (arxiv.org) The paper also describes two poisoning studies that show how a router can become dangerous even when it does not start out malicious. Intentionally leaked OpenAI keys and weakly configured decoys processed 2.1 billion tokens from these routers, exposed 99 credentials across 440 Codex sessions, and reached 401 sessions already running in autonomous “you only live once” mode. (arxiv.org) That “you only live once” setting means an agent takes actions without pausing for human approval. In a setup like that, a forged tool call is less like a bad suggestion and more like a forged signature on a check that the software cashes automatically. (arxiv.org) This is landing in an ecosystem that already leans hard on routing layers. The paper calls LiteLLM the dominant open-source router, and its GitHub repository showed about 42,700 stars on April 10, 2026, which gives a sense of how normal this middle layer has become in production systems. (arxiv.org) (github.com) The timing is awkward for another reason. LiteLLM disclosed a separate supply-chain incident in March 2026 involving compromised Python Package Index releases 1.82.7 and 1.82.8, which means developers are now looking at two different weak points at once: the code they install and the routers they trust at runtime. (docs.litellm.ai) The paper’s defenses are plain but strict. The authors say clients should fail closed when tool calls violate policy, screen model responses for anomalies before execution, and keep append-only transparency logs so a router cannot quietly rewrite history after the fact. (arxiv.org) OpenAI’s current tools and connectors guidance already reflects the same instinct in softer form. Its documentation says tool calls can be allowed automatically or gated behind explicit user approval, and this paper is a concrete example of why “automatic” now needs much narrower boundaries than many agent demos assume. (developers.openai.com)