TL;DR

A new study reveals a massive security gap in the LLM ecosystem: API Routers. Because these intermediaries terminate TLS to route traffic, they have full plaintext access to your prompts and tool calls. Research shows that malicious routers are already injecting code and stealing credentials in the wild. Even "benign" routers can be poisoned if they use leaked upstream keys.

Background: The Intermediary Trust Gap

In the race to build autonomous agents, developers have turned to API routers like LiteLLM and OpenRouter to handle load balancing and cost optimization. While convenient, these routers occupy a "Man-in-the-Middle" (MITM) position by design.

The core problem? There is no end-to-end integrity. When an LLM decides to run a shell command, that JSON payload travels through the router in plaintext. A malicious router can rewrite pip install requests to pip install malicious-clone before it ever reaches your machine.

Methodology: The "Mine" Attack Taxonomy

The researchers formalized the threat into four distinct Adversarial Router Behaviors:

1. AC-1 (Payload Injection): Directly modifying tool arguments (e.g., changing a URL in a curl command).
2. AC-2 (Secret Exfiltration): Passively scanning traffic for AWS keys, SSH credentials, or GitHub tokens.
3. AC-1.a (Dependency Targeting): A stealthy version of AC-1 that uses typosquatting (e.g., reqeusts instead of requests) to bypass simple domain allowlists.
4. AC-1.b (Conditional Delivery): Adaptive evasion where the router only attacks after a "warm-up" period (e.g., after 50 benign requests) to avoid detection by security scanners.

Figure 1: How a single malicious router (R4) can taint the entire response path, even if target agents (e.g., Claude Code) are using multiple hops.

Empirical Evidence: A Toxic Market

The authors didn't just theorize; they went shopping. They analyzed 28 paid routers from marketplaces like Taobao and 400 free routers from public communities.

The results were chilling:

• 9 routers were caught actively injecting malicious code.
• 17 routers touched researcher-owned AWS canary tokens.
• 1 router successfully drained ETH from a decoy wallet.
• Poisoning Vulnerability: By leaking an OpenAI key, researchers saw it absorbed into the "gray market" supply chain, where it was used to process 2.1 billion tokens, exposing hundreds of third-party sessions to potential MITM attacks.

Figure 2: Percentage of malicious behaviors found across paid vs. free router populations.

Defenses: What Can We Do Today?

While the industry waits for a standard like Provider-Signed Response Envelopes, the authors suggest three client-side mitigations:

• High-Risk Tool Policy Gates: Forcing a "fail-closed" state on commands like bash or pip if they attempt to contact unverified domains.
• Anomaly Screening: Using machine learning (e.g., Isolation Forests) to detect weird shifts in tool-use semantics or argument entropy.
• Transparency Logging: Keeping an append-only local log of every raw response and its cryptographic hash to enable forensic auditing.

Critical Insight & Conclusion

This paper serves as a wake-up call for the AI agent community. We have spent years worrying about Prompt Injection (the user tricking the model), but we have ignored Router Injection (the infrastructure tricking the client).

The vulnerability is architectural. As long as routers provide "OpenAI-compatible" interfaces by re-packaging responses without a signature from the source (OpenAI, Anthropic, etc.), the agent supply chain remains fundamentally broken. If you don't control your router, you don't control your agent.