LLM routers found injecting malicious calls

A large language model router is the middleman that takes one app request and forwards it to a model provider like OpenAI or Anthropic, the same way a package hub decides which truck carries your box. A January 2025 paper described routers as part of the “control plane” for artificial intelligence systems, meaning they decide where requests go before any model answers. (arxiv.org) That middleman can read and rewrite the full request on the way through, because the router sees the plain text tool-call data before it reaches the model provider. A new paper posted on April 9, 2026 says no provider currently enforces cryptographic integrity between the client and the upstream model for these router hops. (arxiv.org) The researchers tested 28 paid routers bought from Taobao, Xianyu, and Shopify-hosted storefronts, plus 400 free routers collected from public communities. They found 1 paid router and 8 free routers that actively rewrote tool-call payloads into attacker-controlled commands or dependencies. (arxiv.org) They also found 17 routers that touched researcher-owned Amazon Web Services canary credentials, which are fake keys planted like dye packs in bank money to show when someone tries to steal them. One router used a planted private key to drain Ether from a researcher wallet. (arxiv.org) The paper splits the attacks into two basic moves. One move is payload injection, where the router silently swaps in a malicious command, and the other is secret exfiltration, where the router copies out credentials from the traffic passing through it. (arxiv.org) Some routers were harder to catch because they did not attack every request. The April 2026 paper says 2 routers used adaptive evasion triggers, including dependency-targeted injection and conditional delivery, which means the bad payload appeared only when a specific library or setup made the attack more likely to work. (arxiv.org) This is different from the earlier “malicious tool” problem, where the danger was a bad tool that a user or agent installs by mistake. A March 2026 study showed that once an agent invokes a malicious tool, that tool can read files, harvest credentials, or run code with the same privileges as legitimate software. (rdi.berkeley.edu) The new result moves the danger one layer earlier in the chain. Instead of tricking the agent into choosing a bad tool, a malicious router can tamper with the tool call before the agent or model provider ever sees the final command. (arxiv.org) Researchers had already shown that routers can be manipulated in less direct ways. The January 2025 router paper found that attackers could add “confounder gadgets,” which are token strings that push a router to send a query to a stronger and more expensive model without changing the visible task. (arxiv.org) The April 2026 paper says the supply-chain risk is now wider than model weights or plug-ins, because the orchestration layer itself can become the attacker. Its proposed defenses are client-side policy gates that fail closed, response-side anomaly screening, and append-only transparency logs so users can compare what they sent with what the provider actually received. (arxiv.org) The practical lesson is ugly and simple. If an agent can run code, touch cloud accounts, or sign transactions, then the router in front of it has to be treated like a privileged operator with your passwords in hand, not like a neutral pipe. (arxiv.org)