Paper Flags Malicious LLM Routers

This is the kind of security paper that should make teams reassess any cost-saving proxy in the agent path. The uncomfortable part is not just that malicious routers exist, but that adaptive evasion and poisoning tricks let them survive casual testing.

• –2.1% active malice in a sampled router market is high enough to treat third-party routing as an adversarial layer, not a neutral optimization
• –The ETH drain and AWS-canary touches move this from theoretical prompt-tampering into demonstrated credential and asset theft
• –The poisoning studies show how easy it is to turn “benign” routing into a data-harvesting channel once secrets or weak decoys enter the workflow
• –Fail-closed schema validation and append-only tool-call logging are sensible client-side controls, but they mitigate damage after trust has already been broken
• –Enterprise gateways that route directly to providers are a different risk profile; the paper’s warning is aimed at gray-market and community proxy ecosystems