What Happened
Researchers affiliated with UC Santa Barbara, UC San Diego, blockchain security firm Fuzzland, and World Liberty Financial published a paper titled 'Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain.' The paper documents a category of attack that has been largely invisible in public security research: malicious LLM routers. The team analyzed 428 routers — 28 paid and 400 free — and found 9 actively injecting malicious code or stealing credentials in the wild. Two of those deployed adaptive evasion, specifically designed to look clean during security reviews by waiting for a warm-up period or activating only during autonomous sessions.
The paper landed against a backdrop of rapid AI agent adoption in crypto. Coinbase's Payments MCP has processed tens of millions of transactions and recorded a 10,000% spike in agent activity. Stripe, MoonPay, and dozens of other providers shipped AI agent payment infrastructure in early 2026. AI agents equipped with crypto wallets are now transacting at scale. The infrastructure connecting those agents to their underlying models is the new attack surface.
What an LLM Router Is and Why It Has Access to Everything
LLM routers are intermediary services that sit between a user's application and AI model providers like OpenAI, Anthropic, or Google. They provide model fallback (if one provider is down, route to another), load balancing, cost optimization, and a single API key that works across multiple providers. LiteLLM, the dominant open-source router, has roughly 40,000 GitHub stars and 240 million Docker Hub pulls. OpenRouter connects users to over 300 active models from 60 providers and serves millions of developers. Most production AI deployments route traffic through at least one such intermediary.
A router sits in the middle of every conversation. Every request from the user's application passes through it before reaching the model. Every response from the model passes back through it. That means the router has full visibility into system prompts, user messages, tool calls, tool results, and any credentials or sensitive data embedded in those payloads. For AI agents connected to crypto wallets, that includes private keys, API tokens, and wallet access credentials — often passed in plain text because the developer assumes the router is a trusted intermediary.
What the Paper Found
Of 28 paid routers, 1 injected malicious code. Of 400 free routers built from common open-source templates, 8 injected malicious code or stole credentials. The paper formalizes two attack classes: payload injection, where the router alters or replaces tool-call traffic before it reaches the model or after the model responds; and secret exfiltration, where the router silently harvests credentials and keys from plaintext passing through it. Both classes are orthogonal to prompt injection — they happen in the JSON and tool layer entirely outside the model's reasoning loop, which means model safety features provide no protection against them. The free-router ecosystem runs largely on two template projects — new-api (25,400 GitHub stars, 1.25 million Docker pulls) and one-api (30,500 stars, 1.19 million Docker pulls) — both of which the researchers identified as having architecture that makes this class of attack structurally easy to implement.
Two routers were particularly sophisticated. Both deployed adaptive evasion: one waited for 50 prior calls before activating its payload, specifically to pass any automated security scan that runs only a small number of test requests. Another delivered its payload only when it detected the client was running in autonomous mode — the configuration where an AI agent executes actions without per-request human approval. For crypto users, that is exactly the configuration used when an agent manages a wallet. The router specifically targets that mode because it maximizes the window for unauthorized transactions before anyone notices.
The Supply Chain Compromise and the Real-World Drain
In March 2026, a threat actor identified as TeamPCP compromised the LiteLLM package itself through dependency confusion — a supply chain attack where a malicious package is published to PyPI, npm, or Docker Hub with a name that matches a dependency LiteLLM pulls in. Every deployment that pulled the poisoned release had malicious code injected directly into its request-handling pipeline. LiteLLM is used in production by thousands of organizations. The researchers' canary keys — intentionally leaked test credentials designed to alert on access — processed 2.1 billion tokens from routers in the wild before the study concluded.
Researcher Chaofan Shou documented the real-world outcome directly. In a post on X: 26 LLM routers are secretly injecting malicious tool calls and stealing creds. One drained our client's $500,000 wallet. The primary paper documents a test wallet drain; secondary reporting links the research to that $500,000 figure without the primary paper specifying that exact amount. The researchers also demonstrated the attack surface extends beyond individual malicious routers. By poisoning parts of the router ecosystem — tricking services into forwarding traffic through attacker-controlled relays — they were able to observe and control roughly 400 downstream systems within hours. A single malicious router in a chain of forwarding services is enough to compromise every downstream node.
What This Means for You
If you use any AI agent with access to your crypto holdings — whether that is an agent wallet, a DeFi automation tool, a trading bot, or any AI assistant with permission to read or send transactions — the LLM router between your application and the model is a full-visibility intermediary you have likely never audited. It sees every credential that passes through it. It can replace benign tool calls with malicious ones. It can exfiltrate private keys silently. The model's safety features, refusal training, and alignment provide zero protection against this attack because it happens outside the model's reasoning loop entirely.
The self-custody framing that applies to hardware wallets does not transfer here unchanged. Holding your own keys protects you from exchange insolvency, custodian failure, and counterparty risk. It does not protect you if the agent infrastructure sitting in front of your wallet can rewrite the action before the wallet signs it, or capture the private key before it reaches the signing step. The attack is upstream of the wallet. A hardware wallet correctly signing a transaction that was silently rewritten by a malicious router is not a security system — it is a compliant participant in the theft.
The practical security posture: treat the LLM router as an untrusted component regardless of who provides it. Never pass private keys, wallet seed phrases, or bearer tokens through an LLM routing layer in plain text. Where possible, use direct API connections to model providers rather than third-party routers. If you are building or using an AI agent with wallet access, implement a fail-closed policy gate — any tool call that includes a financial action should require explicit human approval before execution, not just model-generated authorization. Autonomous mode, where an agent executes financial transactions without per-action review, is specifically the mode the most sophisticated malicious routers target.
What to Watch
The paper proposes three client-side defenses: a fail-closed policy gate that blocks unexpected tool calls, response-side anomaly screening that flags unusual model outputs, and append-only transparency logging that creates an auditable record of every router action. None of these are widely implemented in consumer-facing AI agent products today. Watch for whether Coinbase, Stripe, and MoonPay — the infrastructure providers building AI agent payment rails — adopt mandatory transparency logging as a product requirement. And watch for whether OWASP's LLM security guidance, which currently focuses on prompt injection, is updated to address the router supply chain attack class this paper documents.