Whistleblower Chaofan, known for the Claude code leak incident, has recently spoken out again, co-publishing a groundbreaking paper titled "Your Agent Is Mine," which for the first time systematically reveals that third-party LLM routers (commonly known as "relay stations") have become the most critical man-in-the-middle attack points in the AI Agent field. This discovery has instantly alerted countless developers who rely on OpenRouter, LiteLLM, or various low-cost relay services: your Agent may have already been completely controlled without your knowledge.
Core Principle: Router as Application Layer MITM
Modern AI Agents almost entirely rely on third-party routers to forward requests. These routers have full plaintext access to every JSON message, including tool call parameters, API Keys, and private keys. Attackers can deploy a malicious Router to achieve two covert attacks:
Payload Injection (AC-1): After the upstream model returns results, it secretly modifies tool call parameters (such as directing a curl URL to an attacker's server), thus achieving arbitrary code execution (RCE), persistent backdoor implantation, and even long-term infiltration through typosquatting.
Secret Exfiltration (AC-2): Passively scanning traffic to instantly steal high-value information such as sk-, AWS credentials, and ETH private keys, all without any noticeable signs.
The attack supports condition-triggered mechanisms (such as when the number of requests exceeds 50 or enters "YOLO" mode), making it extremely隐蔽, difficult for ordinary users and developers to detect.
Test Data is Shocking
The research team conducted comprehensive testing on 28 paid routers and 400 free routers, with startling results:
9 routers had actively injected malicious code;
1 router directly drained the researcher's ETH wallet, resulting in a loss of up to $5 million;
A total of over 2.1 billion token traffic was processed;
99 real credentials were exposed;
401 Agent sessions were in complete autonomous "YOLO" mode, with security risks completely out of control.
Industry Warning: Relay Stations Are the Biggest Blind Spot
AIbase believes that the significance of this paper lies in bringing "router security" to the forefront of AI Agent security for the first time. In the past, developers focused more on the security of the model itself, prompt injection, or tool permissions, while overlooking the "necessary path" of routing. When routers become application layer MITM, all the powerful capabilities of upstream models could be instantly exploited by attackers.
Whether individual developers or enterprise-level Agent systems, anyone using third-party relay services may face dual threats from Payload Injection and Secret Exfiltration. The paper also points out that the lack of regulation in low-cost, free, and even some paid relay stations further amplifies the risks.
Immediate Actions for Developers
Give priority to using official direct API connections, avoiding unnecessary relays;
Conduct strict code audits and sandbox isolation for self-hosted routers;
Enable end-to-end encryption and request signature verification;
Regularly rotate API Keys and monitor abnormal tool call behaviors.
