Malicious Intermediaries Exploit LLM Supply Chain, Injecting Code and Exfiltrating Secrets

Security & Risk

The Engineer

13 Apr 2026 · 3 min read

Researchers uncover a critical security flaw in LLM systems: malicious intermediaries exploiting API routers to inject code and steal secrets, highlighting vulnerabilities in the unsecured supply chain.

The increasing reliance on third-party API routers for dispatching tool-calling requests in large language model (LLM) agents has exposed a significant security vulnerability. These routers act as application-layer proxies with full plaintext access to JSON payloads, but no cryptographic integrity is enforced between the client and upstream models. A new study by researchers from various institutions presents the first systematic analysis of this attack surface.

Key Findings

Malicious Routers: Out of 28 paid and 400 free routers examined, 1 paid and 8 free routers were found to actively inject malicious code.
Evasion Techniques: Two routers deployed adaptive evasion techniques.
Credential Theft: Seventeen routers accessed researcher-owned AWS canary credentials.
Financial Impact: One router drained ETH from a researcher-owned private key.

Threat Model and Attack Classes

The researchers formalized a threat model for malicious LLM API routers, defining two core attack classes:

Payload Injection (AC-1): Injecting arbitrary code into the JSON payloads.
Secret Exfiltration (AC-2): Extracting sensitive information such as API keys or credentials.

Additionally, they identified two adaptive evasion variants:

Dependency-Targeted Injection (AC-1.a): Targeting specific dependencies to inject malicious code.
Conditional Delivery (AC-1.b): Delivering payloads conditionally based on certain criteria.

Methodology and Findings

The study involved a comprehensive analysis of both paid and free routers. Key findings include:

Paid Routers: 1 out of 28 paid routers actively injected malicious code.
Free Routers: 8 out of 400 free routers were found to be injecting malicious code, with 2 using adaptive evasion techniques.

Poisoning Studies

Two poisoning studies further demonstrated the vulnerability:

Leaked OpenAI Key:
- Generated 100M GPT-5.4 tokens.
- Initiated more than seven Codex sessions.
Weakly Configured Decoys:
- Yielded 2B billed tokens.
- Collected 99 credentials across 440 Codex sessions.
- Resulted in 401 sessions running in autonomous YOLO mode.

Mitigation and Defense

To address these vulnerabilities, the researchers developed Mine, a research proxy that implements all four attack classes against four public agent frameworks. They evaluated three deployable client-side defenses:

Fail-Closed Policy Gate: Ensures that if any anomaly is detected, the system defaults to a safe state.
Response-Side Anomaly Screening: Detects and blocks responses that deviate from expected patterns.
Append-Only Transparency Logging: Maintains an immutable log of all interactions for audit purposes.

Conclusion

The study highlights the critical need for enhanced security measures in the LLM supply chain. As more applications rely on third-party API routers, ensuring cryptographic integrity and implementing robust client-side defenses are essential to mitigate the risk of payload injection and secret exfiltration.