Create a Video View Paper

Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain

This presentation examines a critical vulnerability in modern AI agent architectures: malicious intermediaries in the LLM supply chain. By analyzing 428 real-world API routers, the research reveals how third-party routing services can intercept, modify, and weaponize agent tool calls without detection. The talk covers the threat model, empirical measurements of active attacks in the wild, and evaluates practical defenses against payload injection and credential theft.

Script

Every autonomous agent you deploy trusts an invisible intermediary with everything: your credentials, your tool calls, and your model outputs. That intermediary can rewrite them at will, and you would never know.

These routers—services like LiteLLM and OpenRouter—are voluntarily configured by users to balance and optimize model access. But this creates an application-layer trust boundary with zero protection. The router sees everything in plaintext, and nothing prevents it from changing tool arguments before your agent executes them.

So what happens when researchers actually look at real routers?

The researchers analyzed 428 routers from black markets and public communities. Nine perform active code injection. Seventeen steal credentials. One steals cryptocurrency. And when benign routers are poisoned with leaked credentials, they relay 100 million tokens through potentially malicious chains—demonstrating that the weakest link determines your entire security posture.

The attack proxy, called Mine, achieved 100% compatibility against four major agent frameworks. It adds less than a millisecond of latency—less than typical model jitter—and operates entirely below the model layer. No framework enforces response integrity, so none can detect the manipulation.

Three client-side mitigations were tested. Policy gates achieve low false positive rates but can be bypassed. Anomaly detection catches most simple attacks but misses adaptive ones. Transparency logs help you understand what happened after the damage is done. None provide cryptographic proof of origin, because the architecture doesn't support it.

The voluntary placement of routers in agent pipelines has created an integrity gap that palliative defenses cannot close. Real security will require provider-signed canonical responses—essentially, cryptographic envelopes that bind tool calls to their true origin. Until then, your agent might not be yours at all. Visit EmergentMind.com to learn more and create your own research videos.