API router hijack warning

A new security warning says the middlemen that route artificial intelligence agent requests can be turned into attack points that rewrite traffic and steal secrets. (arxiv.org) These routers sit between an agent and model providers, forwarding tool calls and responses like an application-layer proxy with full access to plaintext JavaScript Object Notation payloads. Researchers wrote that no provider they studied enforced cryptographic integrity between the client and the upstream model. (arxiv.org) In a study posted in April 2026, researchers tested 28 paid routers bought through Taobao, Xianyu, and Shopify-hosted storefronts and 400 free routers from public communities. They found 1 paid router and 8 free routers injecting malicious code, 17 touching planted Amazon Web Services canary credentials, and 1 draining Ether from a researcher-controlled private key. (arxiv.org) The warning lands as companies wire agents into tools through the Model Context Protocol, a standard introduced by Anthropic in November 2024. The Open Worldwide Application Security Project says that protocol gives models a shared “USB-C port for artificial intelligence” to connect to tools, data sources, and services. (cheatsheetseries.owasp.org) That design also means a model can see tool descriptions from every connected server in one context window. The Open Worldwide Application Security Project lists tool poisoning, data exfiltration through normal-looking tool calls, and message tampering after Transport Layer Security termination among the core risks. (cheatsheetseries.owasp.org) Invariant Labs published a separate warning on April 1, 2025, saying malicious Model Context Protocol servers can hide instructions inside tool descriptions that users do not see but models do. The firm said those hidden instructions can push an agent to access sensitive files, transmit data, and override directions from trusted tools. (invariantlabs.ai) The Model Context Protocol’s own security guidance also warns about proxy layers. Its documentation describes a “confused deputy” problem in which a proxy server that fronts third-party application programming interfaces can mishandle OAuth consent and let a malicious client obtain authorization it should not have received. (modelcontextprotocol.io) Researchers said poisoned or weakly configured peers can pull otherwise benign routers into the same chain. In their paper, intentionally leaked OpenAI keys and weakly configured decoys processed 2.1 billion tokens from routers, exposing 99 credentials across 440 Codex sessions, including 401 sessions running in autonomous “YOLO mode.” (arxiv.org) The defensive advice is narrower permissions, separate credentials for each server, and checks that fail closed when a response looks altered. The Open Worldwide Application Security Project says teams should never share tokens across servers and should request the smallest OAuth scopes a tool actually needs. (cheatsheetseries.owasp.org) The basic problem is simple: if an agent trusts the layer that routes its tools, that layer can quietly change what the agent sees and does. The latest warnings say the risk is no longer limited to a bad plugin or a rogue prompt, but extends to the infrastructure in the middle. (arxiv.org)