Claude code leak sparks an LLM crisis, hackers have stolen researchers’ ETH

On April 10, a security researcher disclosed a systemic supply chain security vulnerability in the LLM ecosystem: in hands-on testing of 428 third-party API routers, more than 20% of the free routers were found to be actively injecting malicious code, and one router successfully stole ETH from a private key controlled by the researchers.

LLM Router Supply Chain Vulnerability: Systemic Risks Revealed by Research Data

A social media researcher, @Fried_rice, pointed out that third-party API routers widely adopted in the LLM agent ecosystem are, in practice, application-layer proxies inserted between the client and upstream model, able to read the JSON payload in every transmission in plain text. The core problem is that, as of now, no router provider enforces encrypted integrity protection between the client and the upstream model, making routers a high-value point of intervention for supply chain attacks.

Four Key Findings from the Research Tests

Malicious code actively injected: 1 paid router and 8 free routers (over 20%) are actively injecting malicious code into the payloads in transit

Adaptive evasion mechanisms: 2 routers deployed triggers that can dynamically evade detection, hiding malicious behavior during security review

Credential probing: 17 routers touched the AWS Canary credentials deployed by the researchers, indicating the presence of active credential-stealing attempts

Theft of encrypted assets: 1 router stole ETH from a private key held by the researchers, confirming that the vulnerability can directly lead to on-chain asset losses

Poisoning experiments further revealed the scope of the vulnerability: a leaked OpenAI API key was used to generate 100 million GPT-5.4 tokens; weaker lure configurations produced 2 billion billable tokens, 99 credentials spanning 440 Codex sessions, and 401 sessions running under the self-initiated “YOLO mode.”

Claude code leak: an attack chain from human error to hacker exploitation

In late March 2026, a Java source code mapping file (Source Map File) in the NPM repository for Claude code was accidentally exposed, after which large numbers of developers promptly downloaded and shared it. Anthropic admitted that internal source code had leaked, caused by human error.

However, hackers quickly turned the incident into an attack vector. Zscaler found that attackers, using the name “Claude Code Leak,” distributed ZIP archives on GitHub, claiming they contained special versions of Claude code compiled from leaked source code, with enterprise-grade functionality and no message restrictions. If developers followed the instructions and ran it, their devices would be implanted with the stealware Vidar and the proxy server tool GhostSocks. This attack chain precisely leverages developers’ curiosity and attention to official leak events— a typical composite attack combining social engineering and malware.

Defense mechanisms: three layers of client-side protection verified by research

The research team also developed a research proxy called Mine, validating three client-side defense mechanisms that are effective:

Failure-closed policy gating (Circuit Breaker Policy Gating): automatically cuts off the connection when abnormal router behavior is detected, preventing malicious instruction delivery

Response-side anomaly screening: performs integrity verification on router-returned responses to identify tampered content

Append-only transparent logging: creates tamper-proof operational audit records for later traceability and analysis

Frequently Asked Questions

What is an LLM API router, and why does its existence create a supply chain security risk?

An LLM API router is a third-party service that acts as a proxy between AI applications and upstream model providers, able to dispatch tool-call requests to multiple upstream providers. Because routers can read the JSON payloads in every transmission in plain text, and because there is currently no end-to-end encryption protection, a malicious or compromised router can inject malicious code, steal API credentials, or steal encrypted assets without the user knowing.

What caused the Claude code leak incident, and why was it exploited by hackers?

The Claude code leak was caused by an Anthropic insider accidentally exposing a Java source code mapping file in the NPM repository. After the leak drew widespread attention, hackers leveraged developers’ curiosity about the leaked content to distribute malicious compressed packages disguised as leaked code on GitHub, successfully leading targeted users to install malware.

How can developers protect themselves in this kind of supply chain attack?

Key protective measures include: using only router services from trusted sources with clear security audit records; refusing to download “special version” code claimed from unofficial channels; implementing the principle of least privilege in API credential management; and enabling response-side anomaly detection in LLM agent frameworks to avoid on-chain asset losses caused by router compromise.