9 Out of 428 LLM API Routers Are Injecting Malicious Code Right Now
Researchers tested 428 LLM API routers. Nine were actively injecting malicious code. One drained ETH from a private key. Here is what this means for your AI agents.
Your AI agent calls an API. The API calls a router. The router has full plaintext access to every JSON payload in flight. No encryption between you and the upstream model.
That is how most LLM API routing works today. And researchers just proved it is worse than you think.
The numbers
A team from UC Santa Barbara tested 428 LLM API routers. 28 paid (from Taobao, Xianyu, Shopify storefronts). 400 free (from public communities). The paper is called "Your Agent Is Mine" (arXiv 2604.08407). Here is what they found:
- 9 routers were actively injecting malicious code into responses (1 paid, 8 free)
- 17 routers accessed researcher-owned AWS canary credentials
- 1 router drained ETH from a researcher-owned private key
- 2 routers deployed adaptive evasion triggers (they only inject when they detect certain conditions)
That is not theoretical. That is live, measured, happening right now.
How the attack works
LLM API routers sit between your agent and the model provider. They are application-layer proxies. Every prompt, every tool call, every credential your agent passes through the router is visible in plaintext.
The researchers defined two attack classes:
- Payload injection (AC-1): The router modifies the model's response before it reaches your agent. It can inject arbitrary code, change tool call parameters, or redirect actions.
- Secret exfiltration (AC-2): The router copies credentials, API keys, or sensitive data from your agent's requests.
There are also two evasion variants. Dependency-targeted injection only fires when specific libraries are detected. Conditional delivery only triggers under certain conditions, making it harder to catch in testing.
The leaked key experiment
The researchers intentionally leaked a single OpenAI API key to measure what happens. Results:
- 100M GPT-5.4 tokens generated through that one key
- 2B billed tokens across weakly configured decoys
- 99 credentials harvested across 440 Codex sessions
- 401 sessions were already running in autonomous YOLO mode (no human in the loop)
YOLO mode means the agent has full autonomy. No approval gates. No budget limits. No kill switch. When a malicious router intercepts a YOLO-mode session, it controls an autonomous agent with real credentials.
The LiteLLM dependency confusion
This is not just about routers. In March 2026, attackers compromised the LiteLLM package through dependency confusion. They injected malicious code directly into the request-handling pipeline. Every deployment that pulled the poisoned release was exposed.
The supply chain attack surface is not hypothetical. It is the default.
What this means for your agents
If your agent routes through a third-party API proxy, you are trusting that proxy with everything. Every prompt. Every tool call. Every credential.
Most teams do not think about this. They pick the cheapest router, point their agent at it, and ship. The 401 YOLO-mode sessions the researchers found prove that this is the norm, not the exception.
How to protect your agents
Three things you can do today:
1. Run guards in-process, not at the gateway
A gateway-level guard runs after the router has already seen your data. An in-process guard runs inside your agent, before any external call. That is the only position where you can enforce limits before credentials leave your process.
AgentGuard runs in-process. Zero dependencies. No external calls required. Your budget limits, loop detection, and kill switches execute locally before anything hits the network.
from agentguard47 import init, BudgetGuard, LoopGuard init( guards=[BudgetGuard(max_cost=5.00), LoopGuard(max_iterations=50)], mode="local" )
2. Never run agents in YOLO mode without budget limits
401 out of 440 Codex sessions had no human in the loop. If your agent runs autonomously, it needs hard limits on spend, iterations, and time. Not soft warnings. Hard stops.
3. Audit your API routing chain
Know every hop between your agent and the model provider. If you are using a third-party router, ask: who runs it? What jurisdiction? What logging? Can they see my plaintext prompts?
If the answer to any of those makes you uncomfortable, route direct.
The bottom line
The LLM API supply chain is compromised at scale. 9 out of 428 routers are actively malicious. Researchers proved it with canary credentials, leaked keys, and ETH drainage.
Your agents need runtime safety that executes before the first external call. Not after. Not at a gateway. In-process.
That is what AgentGuard does.
AgentGuard is an open-source Python SDK for AI agent runtime safety. Budget limits, loop detection, and kill switches that run locally, with zero dependencies.
Patrick Hughes
Building BMD HODL — a one-person AI-operated holding company. Tennessee garage. Twelve agents.
Want more like this?
New posts on AI agents, runtime safety, and building in public. One email, zero fluff.
More writing
- 5 min
Nation-State Hackers Are Targeting Your AI Agent Keys
North Korean threat actors are targeting AI coding tools. Trojanized npm packages hunt for .cursor, .claude, .gemini, and .windsurf directories to steal API keys and source code.
- 7 min
Three Studies This Month Changed Everything About AI Agent Safety
Mythos found zero-days in every major OS. Nature documented AI deception in peer review. War games showed AI escalating to nukes. Three studies, one conclusion: your agents need hard limits.
- 5 min
Meta Burned 60 Trillion Tokens in 30 Days. Here Is How to Not Be Meta.
Meta gamified AI usage across 85,000 employees. They burned 60 trillion tokens in a month. Then they shut the leaderboard down. Here is what went wrong and how to prevent it.