428 LLM API routers tested. 9 actively injecting malicious code. 1 draining Ethereum from a private key. 2.1 billion tokens processed with leaked credentials. Your AI agent may be receiving instructions from a router you don't control — and executing them as if they were legitimate.
What LLM API routers are and why they're a problem
LLM API routers are application-layer proxies that dispatch requests to multiple upstream providers. They have full plaintext access to every JSON payload in transit — both the request and the response. The fundamental problem: no provider enforces cryptographic integrity between client and model. The router modifies the response? The agent executes the payload as a legitimate instruction. No signature, no checksum, no verification.
The paper "Your Agent Is Mine" tested 428 routers: 28 paid (found on marketplaces like Taobao, Xianyu, and Shopify) and 400 free. The attack surface is enormous — and most companies don't even know they're exposed.
The numbers that matter
Of the 428 routers tested, 1 paid router and 8 free ones were actively injecting code. But the most concerning finding: 2 routers operated with adaptive evasion triggers — the payload only executes under specific conditions of context, timing, or origin. Under a superficial audit, these routers look completely benign.
17 routers touched the researchers' AWS canary credentials. 1 router drained ETH from a researcher's private key. This isn't theory — it's a real attack with direct financial impact.
The attack classes
The study identified two primary attack classes. AC-1: Payload Injection — the router modifies the upstream response before delivering it to the client. The agent trusts the response it receives. If the router modified it, the agent executes the payload as a legitimate model instruction. AC-2: Secret Exfiltration — the router extracts credentials, API keys, and tokens from payloads in transit.
Within AC-1, there are variants that make detection even harder. AC-1.a: Dependency-targeted injection — the payload is only injected when the request mentions specific dependencies. AC-1.b: Conditional delivery — the payload is only delivered under conditions of context, timing, or origin. Total evasion under superficial audits.
The cascading effect of leaked credentials
The researchers intentionally leaked OpenAI keys and configured weak decoys to observe router behavior. The result: 2.1 billion tokens processed by routers with leaked credentials. 99 credentials exposed across 440 Codex sessions. 401 sessions in YOLO autonomous mode — direct injection without human confirmation.
The most revealing finding: "benign" routers get pulled into the same attack surface when they process requests with leaked credentials. It doesn't matter if your router is trustworthy — if it has your key, and that key leaks, another router in the chain can exploit it. Leaked credentials amplify risk because a benign router with your key can be exploited by another router in the chain.
Tech86's position
There is no cryptographic integrity between client and model — the router modifies without detection. Your agent trusts the response it receives — if the router modified it, the agent executes the payload as a legitimate instruction. Free routers are the highest risk, but paid ones were caught too. And leaked credentials amplify everything: a benign router with your key can be exploited by another in the chain.
At Tech86, we evaluate AI agent architectures with a focus on communication integrity and API supply chain security. If your agents use routers without integrity verification, you're one proxy away from executing code that isn't yours. The question isn't whether routers will be exploited — it's whether you'll detect it when they are.