Malicious LLM Proxy Routers Compromise AI Security

Malicious LLM Proxy Routers Compromise AI Security

First seen 15 Apr 2026, 12:18 UTC Risky.BizNews.Risky.Bizhaveibeenpwned.comwww.nyk.comshipandbunker.com+2 88% similarity 71.0

Article Content

Browse articles
ThreatCluster

A recent study identified 28 malicious LLM proxy routers that can modify AI service responses and access sensitive credentials. The research tested 28 paid routers and 400 free routers, revealing that nine injected harmful commands, two employed delay triggers, and 17 accessed AWS account canaries. One router was capable of emptying a private Ethereum wallet, indicating severe malicious intent. The compromised routers can relay commands across a company's AI infrastructure, posing a significant risk of malware, credential theft, and data exfiltration. The research team demonstrated the threat by leaking an OpenAI API key, leading to over 400 sessions into their proxy mesh. This incident highlights vulnerabilities in AI cost-control systems and the potential for widespread impact on organizations utilizing LLMs. The findings emphasize the need for heightened security measures in AI deployments.

Key Points: • 28 malicious LLM proxy routers were identified, compromising AI service security. • One router was capable of emptying a private Ethereum wallet, showcasing severe risk. • Over 400 sessions were observed exploiting a leaked OpenAI API key through compromised routers.

ThreatCluster AI

Timeline

2025-04-29
CVE-2025-0520 published
2026-04-09
CVE-2026-5194 published
2026-04-14
CVE-2026-32201 published and added to CISA KEV
2026-04-15
Study on malicious LLM proxy routers published

Community

Browse all →