26 LLM routers found malicious

A router in artificial intelligence is the traffic cop that decides which model gets your request, and many of these services sit in the middle as plain old web proxies that can read every tool call and every secret in the request body. A new arXiv paper says some of those middlemen were not just watching traffic but changing it. (arxiv.org) The paper looked at 28 paid routers bought from Taobao, Xianyu, and Shopify storefronts, plus 400 free routers gathered from public communities. The researchers found 1 paid router and 8 free routers that actively injected malicious code into traffic. (arxiv.org) That attack works because tool calling turns model output into actions. OpenAI’s own documentation describes tool calling as a loop where the model emits a tool call, the application executes it, and then sends the result back, so a tampered tool payload can become a real command on a real machine. (developers.openai.com) Anthropic’s documentation describes the same basic pattern from the other side: developers build the tool loop, manage the conversation state, and pass tool results back into the model. If a router sits between the client and the model, it can see and rewrite that loop in transit. (platform.claude.com) The paper splits the abuse into two simple moves. One is payload injection, where the router rewrites a tool call before it reaches the client, and the other is secret exfiltration, where the router quietly copies credentials out of plaintext traffic. (arxiv.org) The numbers get uglier after that. The researchers say 17 routers touched researcher-owned Amazon Web Services canary credentials, and 1 router drained Ether from a researcher-owned private key. (arxiv.org) A canary credential is a fake secret planted as a burglar alarm. Canarytokens, the service used for this kind of trap, says its tokens are designed to look legitimate and send an alert when someone uses them, which lets researchers tell the difference between accidental logging and active theft. (canarytokens.org) Two routers also used evasion tricks. The paper says some malicious behavior was conditional, which means the router did not fire every time, making it harder for a quick spot check to catch the attack. (arxiv.org) The researchers then showed the problem is not limited to obviously shady routers. In two poisoning studies, leaked and weakly configured credentials pulled seemingly benign routers into the same mess, including one leaked OpenAI key that generated 100 million GPT-5.4 tokens and weak decoys that led to 2 billion billed tokens, 99 credentials exposed across 440 Codex sessions, and 401 sessions already running in autonomous YOLO mode. (arxiv.org) This sits on top of a broader weakness security people already worry about. The Open Worldwide Application Security Project describes prompt injection as a way to manipulate a language model into leaking data or taking unintended actions, and a malicious router gets to do that from the network path instead of from the prompt box. (owasp.org) The paper’s demo setup, called Mine, tested these attacks against four public agent frameworks and then tried three defenses on the client side. The three were a fail-closed policy gate, anomaly screening on responses, and append-only transparency logs, which is the software equivalent of refusing unsigned packages, flagging weird receipts, and keeping an audit trail nobody can quietly edit later. (arxiv.org) The uncomfortable part is how ordinary the setup is. OpenAI, Anthropic, and router vendors all support tool use and proxy-style integrations for real products, so the supply chain here is not some exotic lab edge case but the exact convenience layer developers use to swap models, cut costs, and keep one application talking to many providers. (developers.openai.com) (platform.claude.com) (openrouter.ai)