On April 10, a security researcher disclosed a systemic supply chain security vulnerability in the LLM ecosystem: in hands-on testing of 428 third-party API routers, more than 20% of the free routers were found to be actively injecting malicious code, and one router successfully stole ETH from a private key controlled by the researchers.
LLM Router Supply Chain Vulnerability: Systemic Risks Revealed by Research Data
A social media researcher, @Fried_rice, pointed out that third-party API routers widely adopted in the LLM agent ecosystem are, in practice, application-layer proxies inserted between the client and upstream model, able to read the JSON payload in every transmission in plain text. The core problem is that, as of now, no router provider enforces encrypted integrity protection between the client and the upstream model, making routers a high-value point of intervention for supply chain attacks.
Four Key Findings from the Research Tests
Malicious code actively injected: 1 paid router and 8 free routers (over 20%) are actively injecting malicious code into the payloads in transit
Adaptive evasion mechanisms: 2 routers deployed triggers that can dynamically evade detection, hiding malicious behavior during security review
Credential probing: 17 routers touched the AWS Canary credentials deployed by the researchers, indicating the presence of active credential-stealing attempts
Theft of encrypted assets: 1 router stole ETH from a private key held by the researchers, confirming that the vulnerability can directly lead to on-chain asset losses
Poisoning experiments further revealed the scope of the vulnerability: a leaked OpenAI API key was used to generate 100 million GPT-5.4 tokens; weaker lure configurations produced 2 billion billable tokens, 99 credentials spanning 440 Codex sessions, and 401 sessions running under the self-initiated “YOLO mode.”
Claude code leak: an attack chain from human error to hacker exploitation
In late March 2026, a Java source code mapping file (Source Map File) in the NPM repository for Claude code was accidentally exposed, after which large numbers of developers promptly downloaded and shared it. Anthropic admitted that internal source code had leaked, caused by human error.
However, hackers quickly turned the incident into an attack vector. Zscaler found that attackers, using the name “Claude Code Leak,” distributed ZIP archives on GitHub, claiming they contained special versions of Claude code compiled from leaked source code, with enterprise-grade functionality and no message restrictions. If developers followed the instructions and ran it, their devices would be implanted with the stealware Vidar and the proxy server tool GhostSocks. This attack chain precisely leverages developers’ curiosity and attention to official leak events— a typical composite attack combining social engineering and malware.
Defense mechanisms: three layers of client-side protection verified by research
The research team also developed a research proxy called Mine, validating three client-side defense mechanisms that are effective:
Failure-closed policy gating (Circuit Breaker Policy Gating): automatically cuts off the connection when abnormal router behavior is detected, preventing malicious instruction delivery
Response-side anomaly screening: performs integrity verification on router-returned responses to identify tampered content
Append-only transparent logging: creates tamper-proof operational audit records for later traceability and analysis
Frequently Asked Questions
What is an LLM API router, and why does its existence create a supply chain security risk?
An LLM API router is a third-party service that acts as a proxy between AI applications and upstream model providers, able to dispatch tool-call requests to multiple upstream providers. Because routers can read the JSON payloads in every transmission in plain text, and because there is currently no end-to-end encryption protection, a malicious or compromised router can inject malicious code, steal API credentials, or steal encrypted assets without the user knowing.
What caused the Claude code leak incident, and why was it exploited by hackers?
The Claude code leak was caused by an Anthropic insider accidentally exposing a Java source code mapping file in the NPM repository. After the leak drew widespread attention, hackers leveraged developers’ curiosity about the leaked content to distribute malicious compressed packages disguised as leaked code on GitHub, successfully leading targeted users to install malware.
How can developers protect themselves in this kind of supply chain attack?
Key protective measures include: using only router services from trusted sources with clear security audit records; refusing to download “special version” code claimed from unofficial channels; implementing the principle of least privilege in API credential management; and enabling response-side anomaly detection in LLM agent frameworks to avoid on-chain asset losses caused by router compromise.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Bitmine’s weekly net accumulation exceeds 100k ETH, moving even closer to the “5% of total Ethereum supply” target
Bitmine increases its weekly holdings by 101,627 ETH, bringing its total holdings to nearly 5 million ETH. This article breaks down the logic behind institutional-grade ETH accumulation of staking returns, the trend toward institutionalization, and its impact on Ethereum’s supply structure.
GateInstantTrends27m ago
Arbitrum Security Council Freezes 30,766 ETH From KelpDAO Exploit, 9 of 12 Members Vote in Favor
Arbitrum froze 30,766 ETH from the KelpDAO hack, worked with law enforcement, and recovered about a quarter of assets, while locking funds pending governance amid decentralization versus security debates.
Abstract: This article reports that the Arbitrum Security Council froze 30,766 ETH (about $70 million) tied to the KelpDAO exploit, with nine of twelve votes, and moved funds to a secure wallet in coordination with law enforcement. The operation targeted only affected assets to minimize network disruption. The exploiter is suspected to be DPRK-associated. The breach began April 18 via a LayerZero-powered bridge, draining 116,500 rsETH (~$292 million). About a quarter of stolen assets have been recovered. The frozen funds will remain locked until governance and legal authorities decide the next steps, prompting debate over decentralization versus security.
GateNews1h ago
Tether Mints 1 Billion USDT on Ethereum
Gate News message, April 21 — According to Onchain Lens, Tether minted 1 billion USDT on Ethereum eight minutes ago.
GateNews1h ago
OCBC Launches GOLDX Tokenized Gold Fund on Ethereum and Solana
OCBC launches GOLDX, a tokenized physical gold fund on Ethereum and Solana with Lion Global Investors and DigiFT, targeting institutions and Web3 participants; tokenized RWAs reach $29B on chains.
OCBC, with Lion Global Investors and DigiFT, introduced GOLDX, a tokenized version of the LionGlobal Singapore Physical Gold Fund on Ethereum and Solana. The product targets institutional investors and high‑net‑worth individuals, allowing purchases with stablecoins or fiat and delivery to blockchain wallets, providing on‑chain exposure to about $525 million in gold assets. OCBC views GOLDX as a milestone linking traditional finance with the decentralized finance ecosystem to attract Web3 participants. The broader context shows rapid growth in tokenized real‑world assets, with RWAs on public blockchains exceeding $29 billion by mid‑April 2026, while gold prices traded in a tight range around $4,775–$4,831 per ounce.
GateNews1h ago
Bitmine bought 101627 ETH last week! Tom Lee: Crypto winter is nearing its end
Bitmine Immersion Technologies (BMNR) announced on April 20 that it purchased 101,627 Ethereum (ETH) last week, the largest week-over-week purchase since 2026, bringing its total ETH holdings to 4,976,000. Bitmine chairman Tom Lee said publicly that the crypto winter is closer to ending than the market expects.
MarketWhisper4h ago
Arbitrum emergency freezes KelpDAO hacker’s 30,766 ETH
Arbitrum’s Security Committee announced on April 21 that it has taken emergency action to freeze 30,766 ETH on the Arbitrum One chain related to the KelpDAO hacker attack. With assistance from law enforcement agencies, the Security Committee confirmed the attacker’s identity and devised a technical plan to transfer the funds to an interim freeze wallet without affecting any other chain state or Arbitrum users.
MarketWhisper4h ago
