Still buying AI relay stations on Taobao? Whistleblower: Dozens at least have been poisoned due to Claude Code source code leak

Claude Code source code leak whistleblower’s latest research reveals that commercial AI intermediary stations hide cybersecurity risks. Real-world testing found that some intermediary stations steal credentials, wallet private keys, or inject malicious code, turning into supply-chain attack nodes.

Claude Code source code leak whistleblower reveals AI intermediary station cybersecurity risks

Recently, a research paper titled “Your Agent Is Mine” was published, and one of the authors is Chaofan Shou, the whistleblower who was the first to expose the Claude Code source code leak incident.

This paper is the first to conduct a systematic security threat study on third-party API routers for large language models (LLMs)—i.e., the so-called intermediary stations—and reveals that these intermediary stations may become nodes for supply-chain attacks.

What is an AI intermediary station?

Because calling LLMs consumes a large number of tokens and results in high computational costs, AI intermediary stations can cache repeated problem background explanations to help customers significantly reduce costs.

At the same time, intermediary stations have an automatic model allocation function that can dynamically switch between different billing standards and performance models based on the difficulty level of users’ questions, and can automatically switch to a backup model when a single-model server goes offline to ensure stable connections for the overall service.

Intermediary stations are especially popular in China because the country cannot directly use certain specific overseas AI products, and because enterprises have a need for localized billing; therefore, intermediary stations have become an important bridge connecting upstream models and downstream developers. Platforms such as OpenRouter and SiliconFlow are all in this category.

However, although intermediary stations appear to lower costs and technical barriers, they actually hide significant cybersecurity risks behind the scenes.

Image source: Research paper reveals AI intermediary station supply-chain attack risks

AI intermediary stations have full access rights, becoming vulnerable points in supply-chain attacks

The paper states that intermediary stations operate at the application layer of the network architecture, and have full plaintext read access to JSON payload data transmitted in the process.

Because there is no end-to-end encryption integrity verification between the client and the upstream model provider, intermediary stations can easily view and tamper with API keys, system prompt text, and the tool invocation parameters of model outputs.

The research team notes that as early as March 2026, the well-known open-source router LiteLLM was subjected to a dependency confusion attack, allowing attackers to inject malicious code into the request processing pipeline, highlighting the fragility of this step.

• **Related report:**LiteLLM hacker poisoning incident overview: How to check whether an encrypted wallet or cloud key is compromised?

Real-world tests show that dozens of AI intermediary stations exhibit malicious behavior

The research team actually bought 28 paid intermediary stations on platforms such as Taobao, Xianyu, and Shopify, and collected 400 free intermediary stations from public communities for in-depth testing. The test results found that a total of 1 paid intermediary station and 8 free intermediary stations would actively inject malicious code.

Among the tested samples of free intermediary stations, 17 intermediary stations attempted to use AWS decoy credentials provisioned by the researchers, and 1 intermediary station directly stole the cryptocurrencies inside the researchers’ Ethereum wallets.

Further research data shows that as long as intermediary stations reuse leaked upstream credentials, or route traffic to nodes with weaker security protections, even intermediary stations that originally seemed normal will be forced into the same attack surface.

In the poisoning tests, the research team found that these collateral nodes processed a total of more than 2.1 billion tokens, exposed 99 real credentials across 440 sessions, and with 401 sessions in a fully autonomous operating state—allowing attackers to inject malicious payloads directly and easily without using complex trigger conditions.

Image source: Research paper tested over 400 intermediary stations and found that dozens of AI intermediary stations have malicious behavior

Four core attack methods exposed

The paper categorizes the attack behaviors of malicious intermediary stations into two main core categories and two adaptive evasion variants.

• Payload injection attacks: After the upstream model returns results, the intermediary station quietly modifies tool invocation parameters—for example, replacing a legitimate URL with a server controlled by the attacker—leading the client to execute malicious code.
• Confidential data leakage attacks: The intermediary station intercepts and steals sensitive information such as API keys, Amazon Web Services (AWS) credentials, and Ethereum private keys by passively scanning transmitted traffic.

To evade routine cybersecurity detection, attackers further evolved a dependency-confusion-targeted injection technique. They specifically alter the package names in software package installation commands, replacing legitimate packages with malicious packages of the same name or easily confused names that have been published in public registries, thereby establishing persistent supply-chain backdoors in the target systems.

Another is a conditional delivery method, in which malicious behavior is triggered only under certain conditions, such as when the number of requests exceeds 50, or when the system is detected to be in a fully autonomous operating state (YOLO mode), so that the attack can avoid security review tests limited to a finite number of attempts.

Three feasible defense measures

In response to supply-chain poisoning attacks against AI intermediary stations, the paper proposes three feasible defense measures:

• Policy gateway for high-risk tools: By checking and blocking unauthorized domain names or package installation commands, this mechanism can block most payload injection attacks with a 1% false positive rate.
• Response-side anomaly filtering mechanism: With a 6.7% false positive rate, it can flag 89% of malicious payload samples, effectively helping developers perform manual review.
• Additional transparency log recording: While this mechanism cannot prevent attacks from occurring, it can store hash values of requests and responses, so that when a security incident occurs, it can be used for traceability and damage-scope assessment.

Call on upstream model providers to establish cryptographic verification mechanisms

Although client-side defense mechanisms can reduce some risks at the current stage, they cannot fundamentally resolve vulnerabilities in source identity verification. As long as the intermediary station’s modification behavior does not trigger abnormal alerts on the client side, attackers can still easily alter the semantics of program execution and carry out harm.

To fully safeguard the security of the AI agent ecosystem, ultimately it is necessary to rely on response mechanisms supported by cryptographic verification provided by upstream model providers. Only by rigorously cryptographically binding the results produced by the model to the final commands executed by the client can end-to-end data integrity be ensured, fully preventing supply-chain risks in which intermediary stations tamper with data.

Further reading:
OpenAI’s use of Mixpanel has a problem! It leads to some users’ personal information leaking—watch out for phishing emails

A copy-paste mistake caused 50 million dollars to evaporate! Crypto address poisoning scams reappear—how to prevent them?