Welcome back, aspiring cyberwarriors!
In the rush to roll out production AI agents, developers landed themselves in a bit of a convenience trap. Managing a mixed bag of LLM providers like OpenAI, Anthropic, and Google while dealing with rate limits is turning into a logistical hell. To simplify things, the industry has turned to LLM API routers.
Platforms like LiteLLM, which has racked up over 240 million Docker pulls, and OpenRouter have become the go-to solutions for developers. These routers work as easy-to-use intermediaries, providing a single API and smooth load balancing. But in our eagerness for convenience, we have built a fragile system that leaves the front door wide open. By adding an intermediary that needs to break and re-establish TLS connections, we have created a router-in-the-middle situation. So your most sensitive information, like system prompts, proprietary code, and executable tool calls, is being shared in plaintext with a third party.
In this article, we will explore the vulnerabilities within the LLM supply chain, specifically focusing on the risks associated with Router-in-the-Middle attacks and how they can compromise sensitive information and system integrity in AI deployment. Let’s get rolling!
Step #1: Understand the Problem
Usually, network-layer MITM attacks are problematic because they involve complex stuff like certificate forgery or downgrading TLS security. But with the Router-in-the-Middle (RITM) vulnerability, the danger is that it’s something you set up yourself.
When a developer changes their app’s base URL to point to a router, they’re essentially bypassing the whole point of TLS, which is to provide secure communication. It’s not that you’re getting hacked; you’re giving an intermediary app authority over how your data is handled. This creates a weak point in the AI supply chain. Since routing can involve multiple steps, your request could go through various services, such as a reseller or an aggregator, and then to a platform like OpenRouter before it even reaches a GPU. If just one of those hops is compromised, the entire trip can be affected. Even if the last router in the line is trustworthy, it can’t verify whether a malicious step earlier in the chain has already messed with your information or instructions.
Step #2: The “Your Agent Is Mine” Attack
The biggest threat out there is AC-1: Payload Injection. Basically, this means a router stops just being a bystander and gets involved by messing with the instructions your agent runs. It’s not just a theory, it can actually disrupt how frameworks such as Claude Code, OpenClaw, and Codex operate.
With modern agents using call tools to perform tasks, a hacked router can intercept the model’s output and modify it before it reaches your machine. Here’s how it typically works: the router identifies a harmless call, like a curl command to get a legitimate library. Then it swaps the safe URL with one controlled by an attacker or replaces a legitimate dependency with a malicious one. When your agent receives what appears to be valid JSON and recognizes a familiar tool name, it executes the malicious payload locally with full privileges. This means that a compromised router can easily replace a trusted installer URL with a harmful script or quietly steal credentials that pass through the service. This vulnerability became apparent in March 2026, when the LiteLLM package was compromised through a technique called dependency confusion. Hackers gained access to the request-handling system and turned a trusted piece of infrastructure into a tool to manipulate every request in real time.
More advanced attackers often use what’s called Adaptive Evasion to dodge standard security checks.
One surprising finding from research is the warm-up period, where a malicious router might act totally normal for dozens of calls to appear innocent. After building enough trust, it can spring its trap with mechanisms like Conditional Delivery, triggering attacks only when it knows the stakes are high. It focuses on high-impact tools, scans for specific command patterns, and waits for the right time, like off-hours when there’s less human oversight.
So, when a router behaves well in a testing environment, it doesn’t really mean anything. These routers are smart enough to wait for real production traffic before launching their attack.
Now, when we talk about routers being negligent, they don’t need to be evil from the start. Just being careless can do the damage. If a trusted router reuses a leaked key or sends traffic through a suspicious relay to cut costs, you’re left vulnerable because you inherit the weaknesses of that weakest link. For instance, one study found that a single leaked OpenAI key was used by various routers to process 100 million GPT tokens, revealing almost 100 unique credentials across numerous sessions. And that’s just the tip of the iceberg, as researchers using weakly configured decoy routers noticed over 2 billion tokens flowing through these compromised paths.
The real-world implications are serious. These poisoned routes have been found draining ETH from private keys and even messing with AWS canary credentials. You might think you’re using a premium service, but if it’s pulling from a shady source, your data is already in trouble.
The last line of defense against these attacks used to be the human-in-the-loop, but that barrier is being taken down. Many developers run agents in what’s called YOLO mode, allowing them to execute commands and code without manual checks, which can pose a danger. But recent data is alarming: over 90% of the sessions observed in a recent study were operating in this autonomous mode. This effectively removes any safeguards. Even if a UI prompts for approval, it often misses things like typosquatting. An attacker can swap out a legitimate library for a malicious one that looks almost identical, which gets installed without raising any red flags. As a result, the attacker gains a foothold on the host machine without any resistance.
Summary
We must recognize that using third-party AI aggregators may pose security risks, given the current state of the situation. To explore this topic further, stay tuned for the second part, where we will demonstrate the Router-in-the-Middle attack.
If you want to stay ahead of potential threats, consider checking out the Cybersecurity Starter Bundle.
Source: HackersArise
Source Link: https://hackers-arise.com/artificial-intelligence-attacks-on-the-llm-supply-chain-part-1/