Researchers at the University of California warn that some third‑party LLM routers create real security risks that can enable credential and cryptocurrency theft. In a systematic study of intermediary attacks on the LLM supply chain, the team identified multiple attack vectors—including malicious code injection and direct credential extraction—showing that intermediary routers are not a benign part of the stack.
How the risk arises
LLM agents and tooling increasingly route requests through third‑party API intermediaries that aggregate access to providers such as OpenAI, Anthropic and Google. Because those routers terminate TLS, they see every message in plaintext and therefore can inspect, modify or exfiltrate any data that passes through them. That means developers using AI agents to work on sensitive systems (for example, smart contracts, wallets or cloud APIs) may be sending private keys, seed phrases or access tokens across infrastructure that has not been vetted.
What the researchers did and found
The team evaluated a sample of 28 paid and roughly 400 free routers collected from public communities. Key results included:
– Nine routers actively injected malicious code into agent tool calls.
– Two routers used adaptive evasion techniques to avoid detection.
– Seventeen routers accessed researcher‑owned AWS credentials transmitted during tests.
– One router was able to drain Ether from a researcher‑controlled private key during the experiment.
To test theft of crypto keys, the researchers prefunded decoy Ethereum wallets with small balances; the total value lost in the study was under $50. They also ran poisoning experiments showing that routers that appear harmless can become dangerous if they reuse leaked credentials via weak relays.
Why detection is hard
Detecting malicious behavior is difficult because routers normally read secrets in plaintext for forwarding, making the line between legitimate credential handling and theft invisible to clients. The researchers also called out a common agent configuration they labeled “YOLO mode,” where agents automatically execute commands without user confirmation—an easy pathway for seemingly legitimate routers to be silently weaponized. Free or low‑cost routers can also act as lures by offering cheap API access while harvesting secrets.
Recommendations
The paper urges developers to avoid sending private keys or seed phrases through AI agent sessions and to strengthen client‑side protections (for example, disabling auto‑execute, prompting for confirmation, using short‑lived tokens, and running vetted or self‑hosted routing). As a longer‑term mitigation, the authors recommend that AI providers cryptographically sign model responses so agents can verify instructions’ provenance before executing them.
These findings underscore the need to treat intermediary routers as part of the trusted computing base and to audit or minimize sensitive data exposure when using AI agents.