University of California researchers found that some third‑party AI large language model (LLM) routers can create security vulnerabilities enabling credential and crypto theft. A paper measuring malicious intermediary attacks on the LLM supply chain identified four attack vectors, including malicious code injection and credential extraction. Co‑author Chaofan Shou summarized the finding: “26 LLM routers are secretly injecting malicious tool calls and stealing creds.”
LLM agents increasingly route requests through third‑party API intermediaries or routers that aggregate access to providers such as OpenAI, Anthropic and Google. Those routers terminate TLS connections and therefore have full plaintext access to every message. As a result, developers using AI coding agents (for example, to work on smart contracts or wallets) may be sending private keys, seed phrases and other sensitive data through router infrastructure that has not been screened or secured.
The researchers evaluated 28 paid routers and 400 free routers gathered from public communities. Key findings included:
– Nine routers actively injected malicious code.
– Two routers used adaptive evasion triggers.
– Seventeen routers accessed researcher‑owned Amazon Web Services credentials.
– One router drained Ether (ETH) from a researcher‑owned private key.
The team prefunded Ethereum “decoy” wallets with nominal balances; the experiment’s total value lost was below $50, and no transaction hash was provided. They also ran two poisoning studies showing that routers that appear benign can become dangerous when they reuse leaked credentials via weak relays.
Detecting malicious routers is difficult. The researchers note that “the boundary between ‘credential handling’ and ‘credential theft’ is invisible to the client because routers already read secrets in plaintext as part of normal forwarding.” They identified a common agent configuration called “YOLO mode,” where agents automatically execute commands without asking users to confirm each action. This makes it possible for previously legitimate routers to be silently weaponized, while free routers can use low cost or free API access as a lure to harvest credentials.
The paper urges developers to strengthen client‑side defenses and avoid sending private keys or seed phrases through AI agent sessions. As a long‑term mitigation, the authors recommend that AI providers cryptographically sign model responses so that instructions an agent executes can be mathematically verified as originating from the claimed model.
Cointelegraph is committed to independent, transparent journalism. This article was produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate, timely information. Readers are encouraged to verify information independently. Read the Editorial Policy at https://cointelegraph.com/editorial-policy
