Researchers testing 428 LLM routing services discovered that 9 are actively injecting malicious code into AI tool calls — the commands that tell systems to run code, install software, or access APIs. One paid router and eight free services modified instructions after models generated them but before client systems executed them, maintaining valid formatting to avoid detection. The attacks targeted autonomous sessions where commands run without human approval, with some routers waiting 50+ requests before striking to evade short-term testing.
This isn't theoretical anymore. A March incident with the LiteLLM router showed how dependency confusion attacks can compromise entire request pipelines, giving attackers access to every API call flowing through affected systems. The routing layer has become a critical attack surface that most developers treat as trusted infrastructure. With AI agents increasingly handling sensitive operations autonomously, these intermediary services can silently alter what gets executed while appearing to function normally.
The credential theft is equally concerning. Seventeen free routers actively used AWS canary credentials after exposure, and one drained funds from a monitored Ethereum private key. When researchers intentionally leaked an OpenAI API key on Chinese forums, it generated 100M tokens of usage across multiple systems, demonstrating how compromised keys spread through the ecosystem. Meanwhile, the broader AI tooling landscape shows similar trust assumptions — developers building agents focus on "brain" frameworks like LangChain while treating integration layers as solved problems.
If you're routing LLM requests through third-party services, audit your providers now. Implement request signing, monitor for unexpected tool call modifications, and never route sensitive operations through free or unvetted services. The convenience of unified routing APIs isn't worth the risk when attackers can silently rewrite your AI's commands.