Your AI Agent is Secretly a Hacker

Imagine your autonomous AI agent, tirelessly executing tasks, suddenly turning against you. This isn't science fiction about AI gaining sentience; it's a stark new reality uncovered by cybersecurity researchers. The very tools designed to manage your Large Language Model (LLM) traffic, like API routers such as LiteLLM and OneAPI, harbor a massive, overlooked security hole in your stack.

A groundbreaking paper, 'Your Agent is Mine,' recently exposed this vulnerability, proving that the entire LLM supply chain is currently a playground for sophisticated hackers. This research, from the University of California, Santa Barbara, and Fuzzland, unveils a new class of threat that extends far beyond traditional prompt injection techniques.

Researchers call this a Malicious Intermediary Attack. Unlike prompt injection, which manipulates the model's input, this attack targets the communication channel itself. Because no end-to-end cryptographic signature exists between the model provider and your local machine, a malicious router gains full plaintext access to all requests and responses, silently rewriting the model’s directives before your agent ever sees them.

The implications are terrifying. After testing over 400 free and 28 paid LLM API routers, the researchers found active exploitation. Nine routers were injecting malicious code into tool calls, 17 routers were caught stealing planted AWS credentials, and one router even successfully drained a researcher's Ethereum wallet. Some even use adaptive evasion, waiting for agents to enter 'YOLO mode'—operating autonomously without manual approval—before striking.

A new threat, dubbed the Malicious Intermediary Attack, exposes a critical vulnerability in the LLM supply chain. This isn't a traditional hack; instead, it leverages third-party services you willingly integrate into your AI agent's operations. Researchers from the University of California, Santa Barbara, and Fuzzland detailed this in their paper "Your Agent is Mine," revealing how trusted components become conduits for compromise.

Many developers rely on LLM API routers like LiteLLM and OneAPI to streamline their AI infrastructure. These services consolidate API calls, manage model access, and optimize credit usage across various large language models. They offer convenience, acting as a centralized hub for all agent-model interactions, making them an indispensable part of modern AI development stacks.

However, this convenience comes with a profound security flaw: a fundamental lack of end-to-end cryptographic signature between your agent and the upstream model provider. When your agent sends a request through one of these routers, the router terminates the TLS session, gaining full plaintext access to every piece of data. This means the intermediary sees everything your agent sends and receives, completely unencrypted.

Consider this a digital postal worker who not only handles your mail but also opens, reads, and can alter its contents before delivering it. This intermediary can silently rewrite model responses, inject new instructions, or extract sensitive information without either your agent or the LLM provider ever knowing. It effectively holds the keys to your agent's communication.

The consequences are dire and already evident in the wild. Researchers tested over 400 free and paid routers, uncovering alarming activity: - 9 routers actively injecting malicious code into tool calls. - 17 routers stealing AWS credentials planted as canaries. - 1 router successfully drained a researcher's Ethereum wallet. Some even use adaptive evasion, waiting for agents to enter "YOLO mode"—autonomous operation without manual approval—before launching targeted attacks.

Malicious Intermediary Attacks (MIAs) represent a fundamentally different threat than prompt injection. While prompt injection manipulates an LLM’s *input* to bypass guardrails or elicit specific, unintended text, MIAs operate at a later, more critical stage.

This attack intercepts and alters the LLM’s *output*, specifically targeting tool calls or function executions, *before* your agent ever sees the authentic response. Imagine your agent asking for a Python script, and an intermediary silently swaps it for a malicious version.

This isn't a model-layer weakness; it's an application-layer, supply chain vulnerability, designated OWASP LLM03. Third-party API routers, used for managing LLM credits or traffic, are prime targets. Lack of end-to-end cryptographic signatures allows these routers full plaintext access to model responses.

Traditional defenses against prompt injection – input sanitizers, firewalls, and content filters – are entirely ineffective. These tools focus on scrutinizing what *enters* the LLM. They offer no protection when the malicious manipulation occurs *after* the LLM has generated its response but *before* your agent acts on it.

A recent paper, "Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain," uncovered the alarming scale of this threat. Researchers tested over 400 free and paid LLM API routers, revealing widespread compromise.

Their findings are stark: - 9 routers actively injected malicious code into tool calls, swapping legitimate commands like `pip install requests` for typo-squatted, attacker-controlled packages. - 17 routers were caught stealing AWS credentials, planted as canaries in test environments. - One router successfully drained a researcher’s Ethereum wallet.

Some malicious intermediaries even demonstrated adaptive evasion, waiting for specific conditions, such as an agent operating autonomously in "YOLO mode" (without manual approval), before launching their attacks. This highlights a sophisticated and systemic vulnerability, demanding immediate attention beyond simple input validation.

Attackers leverage Payload Injection, the first core attack type, by exploiting the intermediary's full plaintext access to LLM traffic. This vulnerability allows a malicious router to silently rewrite a model's response before an agent ever sees it.

Consider a scenario where your autonomous agent asks the LLM for a common Python library, prompting the model to generate the tool call `pip install requests`. A compromised router intercepts this legitimate request.

The router then covertly swaps the command, replacing the benign package with a typo-squatted package that bears a similar name but contains malicious code. Your agent, unaware of the alteration, proceeds to execute the modified command.

This seemingly minor substitution triggers devastating consequences. The malicious package installs a reverse shell, immediately granting the attacker remote code execution (RCE) and full system compromise. The attacker gains unfettered access to the agent's host environment.

Autonomous agents are fundamentally designed to trust and execute tool calls generated by the LLM. This inherent design choice, crucial for their functionality, becomes the perfect attack vector. Agents execute these commands without further scrutiny, opening a direct pipeline for attackers to inject arbitrary code into critical systems.

Researchers identified nine routers actively injecting malicious code into tool calls across their extensive study of over 400 free and paid LLM API routers. This demonstrates the immediate and widespread threat this vulnerability poses to the LLM supply chain.

Beyond actively injecting malicious payloads, attackers employ a second, equally insidious tactic: Secret Exfiltration. This attack is passive and invisible, transforming your trusted LLM router into a silent data siphon. It doesn't modify your agent's actions; instead, it simply observes and collects.

Routers, positioned as critical intermediaries, possess full plaintext access to every piece of data flowing between your agent and the large language model. This privileged position allows them to continuously scan all incoming and outgoing traffic. They deploy sophisticated regex patterns, constantly searching for specific, high-entropy strings that betray sensitive information. This quiet, persistent surveillance makes the attack incredibly difficult to detect, operating entirely in the background without altering any visible behavior.

Attackers specifically target high-value credentials that grant unfettered access to cloud infrastructure, code repositories, and financial assets. These include: - AWS keys, which can unlock cloud environments and data storage - GitHub tokens, providing access to private codebases and development pipelines - Ethereum private keys, essential for controlling and transferring cryptocurrency holdings Once captured, these secrets provide a direct, unauthenticated pathway for attackers to compromise critical systems, steal intellectual property, or drain digital wallets.

Researchers from the "Your Agent is Mine" study exposed the alarming prevalence of this threat across the LLM supply chain. After scrutinizing over 400 free and paid routers from public communities and storefronts, their findings were stark and immediate. They confirmed 17 routers were actively stealing AWS credentials planted as canaries, demonstrating a widespread and active vulnerability within these seemingly benign intermediaries.

The investigation revealed an even more terrifying outcome that transcends data theft: one malicious router successfully drained a researcher's Ethereum wallet. This single, devastating incident underscores the catastrophic financial potential of secret exfiltration. Your autonomous AI agent, unknowingly routing sensitive commands and data through a compromised intermediary, becomes an unwitting accomplice in its own financial ruin or the complete compromise of your infrastructure.

Researchers behind "Your Agent is Mine" exposed a critical vulnerability within the LLM supply chain, revealing how hackers exploit intermediary services. Their paper details a "Malicious Intermediary Attack," where compromised API routers gain full plaintext access to agent requests. This allows silent manipulation before responses ever reach your system.

The scale of their investigation was unprecedented, testing over 400 free and paid routers. These intermediaries, often managing LLM credits via services like LiteLLM or OneAPI, were sourced from public communities and major storefronts like Taobao and Shopify. The study effectively created a vast "honeypot" to observe real-world attacks.

Findings from this extensive research were stark. Researchers discovered: - 9 routers actively injecting malicious code into tool calls. - 17 routers engaged in stealing credentials. - 1 router successfully drained a researcher's Ethereum wallet. These statistics confirm a widespread and active threat environment.

To track credential theft, researchers employed a clever canary method. They strategically planted fake AWS keys, GitHub tokens, and Ethereum private keys within test requests. When these "canaries" were later used by external actors, it unequivocally proved the router had siphoned the sensitive data. This passive, invisible exfiltration poses a severe risk.

Some malicious intermediaries demonstrated advanced tactics, including adaptive evasion. These routers waited for specific conditions, like an agent entering "YOLO mode" – operating autonomously without manual approval – before launching their attack. For deeper technical insights into these findings, explore the research Malicious Intermediary Attacks on LLM Supply Chain - Emergent Mind. This sophisticated approach highlights the evolving nature of AI agent threats.

Most terrifying revelation from the "Your Agent is Mine" research paper isn't just the existence of malicious intermediaries; it's their cunning. Researchers uncovered instances of adaptive evasion, a sophisticated technique where compromised routers lie dormant, observing agent behavior before launching a targeted strike. This patient approach dramatically increases the likelihood of a successful, devastating attack, making traditional security measures less effective.

Attackers often wait for what the researchers term "YOLO Mode." This critical state occurs when an autonomous AI agent operates without manual approval, executing commands and interacting with systems completely unsupervised. Once an agent enters YOLO Mode, the intermediary has a free hand, unconstrained by human oversight that might flag suspicious activity.

Malicious routers don't just wait for autonomy; they also monitor activity levels. Some intermediaries observed by the University of California, Santa Barbara, and Fuzzland researchers lay in wait for a specific number of requests—sometimes as many as 50 prior calls—before initiating their attack. This delayed execution helps them blend into normal traffic patterns, making detection incredibly difficult for developers and security teams.

Precision of these attacks is equally alarming. Some malicious routers specifically target development environments. They patiently scan for projects built using specific programming languages, such as Rust or Go, before injecting dependency-targeted malware. This allows attackers to deliver highly relevant and effective payloads, exploiting vulnerabilities in the toolchains or libraries commonly used by those ecosystems.

Consider the implications: an AI agent, tasked with complex development work, unknowingly routes its traffic through a compromised intermediary. The router observes the agent's initial innocuous tasks, perhaps fetching documentation or performing simple data analysis.

It silently waits until the agent transitions into autonomous operation, or reaches a predefined request threshold. Then, when the agent attempts to install a package for a Rust project, the malicious router swaps the legitimate dependency with a typo-squatted, attacker-controlled version, instantly granting a reverse shell or exfiltrating sensitive data. This quiet, calculated aggression highlights a profound shift in the threat landscape.

March 2026 brought the theoretical dangers of the "Your Agent is Mine" research into stark reality with the LiteLLM compromise. This high-profile incident proved that the vulnerabilities identified by researchers were not speculative, but actively exploited in the wild, transforming a widely used LLM API router into a vector for sophisticated cyberattacks against production systems.

Attackers executed a cunning dependency confusion attack against LiteLLM, a popular Python package designed to simplify routing requests to various LLMs and manage API keys. They injected malicious code into specific versions of the software, silently turning legitimate installations into tools for espionage. This sophisticated supply chain attack demonstrated the profound risk posed by seemingly innocuous third-party components within the critical path of AI agent operations.

The consequences were immediate and severe, impacting any organization utilizing the compromised versions. LiteLLM instances became unwitting data siphons, enabling the theft of critical operational information from their users. Attackers successfully exfiltrated a trove of sensitive data, including: - cloud credentials - SSH keys - Kubernetes secrets

This real-world breach unequivocally validated the threat of Malicious Intermediary Attacks, moving it far beyond academic papers. It cemented the research’s findings, illustrating how autonomous AI agents, when routed through compromised intermediaries, inadvertently become instruments for their own undoing, leaking vital infrastructure access. This is not another prompt injection; it's a fundamental breach of trust in the LLM supply chain.

Organizations relying on third-party LLM routers must now confront a tangible and immediate danger to their core infrastructure. The LiteLLM incident serves as a stark warning: the security of your AI stack is only as strong as its weakest link, often an unverified or compromised component deep within the supply chain. Attackers are actively targeting these intermediary layers, highlighting the urgent need for rigorous vetting and end-to-end cryptographic integrity across the entire LLM ecosystem. The threat is here.

LLM API routers, often deployed to manage costs or unify access, operate on a critical trust boundary. These intermediaries, including services like LiteLLM and OneAPI, are frequently treated as transparent pipes. However, they are active participants in the communication chain, making them a prime target for malicious actors. This fundamental technical failure exposes the entire LLM supply chain to compromise.

Standard TLS encryption offers no sanctuary from this threat. While TLS secures the connection between your agent and the router, the router itself is the endpoint of that session. It fully decrypts all incoming requests and outgoing responses. This grants the intermediary complete, plaintext access to sensitive data and tool calls, allowing silent modification before re-encryption and forwarding.

Researchers behind the "Your Agent is Mine" paper highlighted this systemic vulnerability. They conclude the current LLM ecosystem relies on 'fragile trust in intermediaries', a trust consistently betrayed in their findings. Their study revealed 9 routers actively injecting malicious code and 17 caught stealing AWS credentials, directly demonstrating this broken trust.

The only robust defense against malicious intermediaries involves cryptographic envelopes. This mechanism requires LLM providers to cryptographically sign their canonical responses. When your agent receives a model's output, it independently verifies the signature, proving the message's origin and ensuring no intermediary has tampered with the content.

Implementing provider-signed responses creates an immutable chain of trust, extending from the LLM provider directly to your agent. Without this verifiable origin, every API router remains a potential vector for payload injection and secret exfiltration. This architectural shift is crucial to prevent incidents like the LiteLLM compromise and safeguard against financial losses, as detailed in reports like Researchers discover malicious AI agent routers that can steal crypto - Cryptonews.net. This is the only way to secure autonomous agents from invisible manipulation.

Developers and organizations face an immediate imperative: fortify your AI agents against the insidious threat of Malicious Intermediary Attacks. The LLM supply chain, once perceived as transparent, now stands revealed as a critical attack surface demanding the same rigorous security posture as any other core infrastructure. Proactive measures are no longer optional but essential for safeguarding sensitive data and operational integrity.

Extreme vigilance is paramount when considering any third-party intermediary service—be it an API router like LiteLLM or OneAPI, or a custom proxy managing LLM credits. The "Your Agent is Mine" research starkly demonstrated the danger: 9 routers actively injected malicious code, 17 stole AWS credentials, and one even drained an Ethereum wallet. Where feasible, organizations must prioritize self-hosting these crucial components, maintaining direct control over the data flow and eliminating reliance on unvetted external entities. Thorough security audits are indispensable for any third-party service deemed unavoidable.

Implement robust client-side defenses directly within your agent's execution environment. Crucially, adopt a fail-closed policy for all tool calls and commands. Instead of allowing everything by default, explicitly allowlist only approved functions, APIs, and shell commands. This prevents rogue instructions from executing even if injected. Furthermore, deploy response-side anomaly screening to meticulously inspect model outputs for suspicious patterns, unexpected tool calls, or deviations from established behavior *before* any action is taken. Never operate agents in an unconstrained "YOLO mode" that bypasses human oversight or automated checks.

The long-term solution demands a fundamental shift from major model providers. OpenAI, Google, and Anthropic must collaboratively develop and implement end-to-end cryptographic signatures for all LLM responses. Such signatures would verify the integrity and authenticity of outputs, guaranteeing that the response received by the agent is precisely what the model generated, untouched by any intermediary. This critical security primitive would effectively neutralize Malicious Intermediary Attacks by making tampering instantly detectable.

Securing the LLM supply chain requires a collective industry effort. From individual developers adopting stringent security practices to leading AI companies embedding cryptographic trust at the protocol level, every link in the chain must be hardened. Only then can we truly trust the autonomous agents we empower, ensuring they remain powerful allies, not unwitting instruments of compromise.

What is the 'YOLO' Attack in LLM security?

The 'YOLO' Attack is a type of Malicious Intermediary Attack where a compromised API router intercepts and alters the tool calls an LLM makes. It's named for when attackers strike after an AI agent enters 'You Only Look Once' (YOLO) mode, operating autonomously without human approval.

How is the YOLO Attack different from prompt injection?

Prompt injection tricks the LLM into misbehaving. The YOLO Attack doesn't target the model itself; it targets the supply chain. A malicious router rewrites the model's legitimate output (like a command) after it has been generated, making it a post-processing, man-in-the-middle attack.

What is an LLM API router and why is it a vulnerability?

An LLM API router is a service that manages requests to multiple LLM providers for cost optimization or load balancing. It becomes a vulnerability because it sits between the user and the model provider with full plaintext access to all data, allowing a malicious router to read or modify anything.

How can developers protect their AI agents from this attack?

Developers should vet all third-party services, avoid using untrusted API routers, and implement client-side checks on tool calls. The ultimate solution requires model providers to implement end-to-end cryptographic signatures to verify the origin and integrity of their responses.