Some LLM routers are injecting malicious tool calls
Researchers identified 26 LLM router services secretly injecting malicious tool calls to steal user credentials, with at least one incident resulting in a $500,000 cryptocurrency loss. This is active exploitation in production systems, not a theoretical risk, and it exposes a fun...
Chaofan Shou, a researcher on the Solayer team, published findings on April 10, 2026, documenting a critical security vulnerability affecting LLM routers, the proxy services that sit between your application and AI model providers like OpenAI or Anthropic. According to coverage surfaced through Hacker News and reporting aggregated by PA News Lab, Shou's research revealed that 26 separate router services had been compromised to secretly inject malicious tool calls, allowing attackers to harvest credentials and execute unauthorized commands without any visible indication to affected users.
Why This Matters
This is not a niche developer problem. LLM routers are infrastructure that thousands of production applications depend on, and the attack surface here is enormous because these services sit on top of centralized credential stores. The fact that 26 services were simultaneously compromised points to a systemic vulnerability, not an isolated incident. One organization already lost $500,000 in cryptocurrency wallet assets, which means the security community is already behind the attackers. Anyone running an AI-powered product through a third-party routing service needs to treat this as an active threat, not a future concern.
Daily briefing from 50+ sources. Free, 5-minute read.
The Full Story
LLM routers emerged as a practical solution to a real operational headache. When a company wants to route requests across multiple AI providers, juggling separate API keys, managing load balancing, and handling fallback logic across OpenAI, Anthropic, Google, and others is genuinely complex. Proxy services promised to solve that by centralizing everything in one place. The problem, as Shou's research makes painfully clear, is that centralizing sensitive credentials also centralizes risk.
The attack vector works by injecting malicious tool calls directly into the routing logic of these proxy services. When an LLM responds to a user request, it can also call external tools or APIs, which is a core feature of modern AI agent architectures. Attackers who control or compromise a router can silently insert additional tool calls that the user never authorized. Those calls can exfiltrate API keys, access cloud credentials, or execute arbitrary commands against connected infrastructure. The user sees a normal response. The damage happens in the background.
Shou's team did not just identify the vulnerability theoretically. They performed a proof-of-concept "poisoning" attack against one router and within hours had redirected its traffic to capture control over approximately 400 hosts. That number is striking because it illustrates how quickly a single compromised intermediary can cascade into broad infrastructure compromise. The attackers are not going after one target at a time. They are going after the pipe that connects to everyone.
The confirmed $500,000 loss came from cryptocurrency wallet credentials that passed through one of the compromised routers. This detail matters because it grounds the research in documented financial harm. Security researchers often work in theoretical space, but this finding came with receipts. The Solayer team had previously published academic work on the risks inherent in third-party LLM proxy services, and this April 2026 disclosure validated those earlier theoretical concerns with real-world evidence.
What makes this particularly hard to defend against is the nature of tool call injection versus older attack types. Traditional API security monitoring looks for unexpected outbound requests or anomalous authentication attempts. Malicious tool calls look, at least superficially, like legitimate AI agent behavior. Defenders need to build new monitoring capabilities specifically designed to audit what tools their AI systems are actually invoking, not just whether the model returned a valid response.
Key Details
- Chaofan Shou of the Solayer team published the research on April 10, 2026, via the X platform.
- Researchers identified 26 separate LLM router services injecting malicious tool calls.
- At least one confirmed incident resulted in a $500,000 cryptocurrency wallet loss.
- A proof-of-concept poisoning attack compromised approximately 400 hosts within hours of execution.
- The attack targets the centralized API keys and cloud credentials stored within LLM proxy services.
- The Solayer team had published prior academic research on proxy system vulnerabilities before this live exploitation was documented.
What's Next
Organizations running production AI applications through any third-party LLM router should immediately audit which tool calls their systems are authorized to make and build monitoring that logs every tool invocation against an approved allowlist. The security community will likely push for formal auditing standards for LLM proxy services over the next six to twelve months, similar to the SOC 2 compliance frameworks that became standard for SaaS infrastructure. Watch for major router providers to publish security audits or face mounting pressure from enterprise customers who cannot afford the exposure.
How This Compares
The Solayer findings did not arrive in isolation. Approximately three weeks earlier, on March 26, 2026, Trend Micro published a 6,971-word analysis authored by Peter Girnus, Fernando Tucci, Deep Patel, Simon Dulude, Ashish Verma, and John Rainier Navato documenting the LiteLLM supply chain compromise. That attack involved two versions of LiteLLM, one of the most widely used AI proxy packages, being pushed to PyPI with malicious code embedded. Trend Micro described the campaign by the group they identified as TeamPCP as one of the most sophisticated multi-ecosystem supply chain attacks publicly documented. The LiteLLM incident and the Solayer router disclosures together paint a picture of coordinated, simultaneous pressure on multiple layers of the AI infrastructure stack in early 2026.
Compare this to the UK National Cyber Security Centre's December 2025 warning about prompt injection attacks. The NCSC cautioned that developers were incorrectly treating prompt injection as analogous to SQL injection, an understandable but dangerous oversimplification. The concern at that point was still primarily about manipulating model inputs. Tool call injection, documented just four months later, represents a meaningfully more dangerous escalation because it does not just change what the model says but directly controls what systems the model touches. The NCSC warning looks prescient in hindsight, but it also shows how fast this attack surface is evolving.
There is also a relevant body of academic research that deserves attention. A paper on "DoubleAgents: Fine-Tuning LLMs for Covert Malicious Tool Calls" generated 98 points and 30 comments on Hacker News, signaling that the technical community had been theorizing about exactly this attack vector before it appeared in production. The jump from academic paper to active exploitation in 26 services within months is unusually fast, and it suggests that attackers are watching the research literature closely. You can find ongoing coverage of AI security tools and AI platforms relevant to this threat vector as the situation develops.
FAQ
Q: What is an LLM router and why do developers use one? A: An LLM router is a proxy service that sits between your application and multiple AI providers like OpenAI or Anthropic. Developers use them to manage API keys in one place, balance traffic across providers, and handle failover logic without rewriting application code for every model. The convenience is real, but centralizing credentials in a third-party service creates exactly the kind of single point of failure that attackers target.
Q: How can I tell if my AI application was affected by malicious tool calls? A: The honest answer is that without specific monitoring, you probably cannot tell after the fact. You need logging that captures every tool call your AI system makes, not just model inputs and outputs. Check your guides for practical steps on setting up tool call auditing in agent frameworks, and review your cloud provider logs for any credential usage you did not initiate.
Q: What is the difference between prompt injection and tool call injection? A: Prompt injection manipulates what the model says or how it responds by crafting adversarial inputs. Tool call injection goes a step further by controlling which external functions or APIs the model actually executes. The first changes the model's words. The second changes the model's actions, which can mean unauthorized API requests, credential theft, or commands executed against real infrastructure.
The AI infrastructure supply chain is now a primary target for sophisticated attackers, and the speed from published research to active exploitation means defenders have very little runway. Keep up with the latest developments at AI Agents Daily news as this story continues to evolve. Subscribe to the AI Agents Daily weekly newsletter for daily updates on AI agents, tools, and automation.
Get stories like this daily
Free briefing. Curated from 50+ sources. 5-minute read every morning.
