Claude code leak whistleblower reveals major security risks in the LLM supply chain: Over 20% of free routes reportedly maliciously injected

AIMPACT News, April 10 (UTC+8), whistleblower @Fried_rice posted on social media that large language model (LLM) agents are increasingly relying on third-party API routers to dispatch tool call requests to multiple upstream providers. These routers operate as application layer proxies, capable of accessing each transmitted JSON payload in plaintext, but currently no provider enforces encryption integrity protection between the client and upstream models.

The paper tested 28 paid routers purchased from Taobao, Xianyu, and Shopify standalone sites, as well as 400 free routers collected from public communities. The results found that 1 paid router and 8 free routers actively injected malicious code, 2 deployed adaptive evasion triggers, 17 touched AWS Canary credentials owned by researchers, and 1 stole ETH from a private key held by researchers.

Two poisoning studies further demonstrated that seemingly harmless routers can also be exploited: a leaked OpenAI key was used to generate 100 million GPT-5.4 tokens and over 7 Codex sessions; while weakly configured decoys produced 2 billion billing tokens, 99 credentials across 440 Codex sessions, and 401 sessions running in autonomous YOLO mode.

The research team built a research proxy called Mine, capable of executing all four attack types on four open proxy frameworks, and verified three client defenses: fault lockout policy gating, response-side anomaly screening, and append-only transparent logging. (Source: X platform)