This work addresses a critical security gap in large language model (LLM) agents that rely on third-party API routers to forward tool invocations without end-to-end encryption, rendering them vulnerable to malicious intermediaries. We formalize, for the first time, a threat model for adversarial routers within the LLM supply chain and introduce a taxonomy of four attack classes, with particular emphasis on payload injection and credential theft—including their adaptive variants. Through empirical measurements, honeypot credential tracking, and a custom attack agent dubbed Mine, we uncover active exploitation across 68 real-world routers, including incidents involving Ethereum private key exfiltration. We further evaluate three client-side defenses—fail-closed policies, response anomaly detection, and append-only transparent logging—and demonstrate their efficacy, establishing a reproducible framework for secure LLM tool invocation.

Large language model (LLM) agents increasingly rely on third-party API routers to dispatch tool-calling requests across multiple upstream providers. These routers operate as application-layer proxies with full plaintext access to every in-flight JSON payload, yet no provider enforces cryptographic integrity between client and upstream model. We present the first systematic study of this attack surface. We formalize a threat model for malicious LLM API routers and define two core attack classes, payload injection (AC-1) and secret exfiltration (AC-2), together with two adaptive evasion variants: dependency-targeted injection (AC-1.a) and conditional delivery (AC-1.b). Across 28 paid routers purchased from Taobao, Xianyu, and Shopify-hosted storefronts and 400 free routers collected from public communities, we find 1 paid and 8 free routers actively injecting malicious code, 2 deploying adaptive evasion triggers, 17 touching researcher-owned AWS canary credentials, and 1 draining ETH from a researcher-owned private key. Two poisoning studies further show that ostensibly benign routers can be pulled into the same attack surface: a leaked OpenAI key generates 100M GPT-5.4 tokens and more than seven Codex sessions, while weakly configured decoys yield 2B billed tokens, 99 credentials across 440 Codex sessions, and 401 sessions already running in autonomous YOLO mode. We build Mine, a research proxy that implements all four attack classes against four public agent frameworks, and use it to evaluate three deployable client-side defenses: a fail-closed policy gate, response-side anomaly screening, and append-only transparency logging.