really interesting empirical work here. researchers tested 28 paid and 400 free LLM API routers and found some nasty stuff: 17 routers accessed their AWS credentials, one actually drained crypto from test wallets, and leaked API keys were used to generate 100M+ tokens.

the attack taxonomy stands out: payload injection, secret exfiltration, dependency-targeted injection, conditional delivery. that last one is tricky, routers that only activate malicious behavior under certain conditions, 2 of them were already doing evasion techniques in the open.

feels like the same trust problem package managers had 10 years ago, except now the intermediary sees your full unencrypted JSON payloads including tool calls and responses. the "free tier" routers were way worse (8 out of 400 injecting malicious code) but even paid ones aren't clean (1 out of 28).