The AI agent economy just hit its first major security crisis: researchers found 26 malicious routers on Hugging Face actively stealing crypto credentials from unsuspecting users.
The Summary
- Security researcher Chaofan Shou discovered 26 compromised LLM routers on Hugging Face that inject malicious tool calls and harvest credentials
- These routers sit between users and AI agents, invisibly redirecting requests to steal wallet keys and authentication tokens
- First documented attack vector targeting the AI agent infrastructure layer, not just end applications
The Signal
Most people building with AI agents think about prompt injection or model hallucinations. Nobody was watching the routers.
LLM routers are the traffic cops of the agent economy. When you interact with an AI agent, the router decides which model handles your request based on cost, speed, and capability. Think of it as middleware that makes multi-model systems work without you knowing which LLM is actually running your task.
Chaofan Shou found 26 of these routers on Hugging Face doing something else entirely. They were secretly injecting malicious tool calls into the execution chain and siphoning credentials. You ask your agent to check your portfolio balance. The router passes that request along, but also tells the agent to quietly export your wallet's private keys to an attacker-controlled endpoint.
"These routers are secretly injecting malicious tool calls and stealing creds."
The attack surface here is massive because routers are infrastructure, not user-facing apps. Developers trust them the way you trust DNS. You don't authenticate every DNS query. You assume the pipes are clean. That assumption just became expensive.
Three reasons this matters more than typical crypto phishing:
- Routers have privileged access to the entire agent execution flow
- Attacks happen at the infrastructure layer where logging is sparse
- Users have no visibility into router behavior, only agent outputs
This is the first real evidence that the AI agent supply chain has the same security problems as traditional software, but with worse tooling. We don't have the equivalent of code signing or package verification for LLM routers yet. Hugging Face is the npm of AI. And just like npm, it's full of packages nobody vets until something breaks.
The timing is brutal. Crypto-native AI agents are exploding right now. Autonomous trading bots, wallet management agents, DeFi strategy executors. All of them route through infrastructure like this. All of them hold real money. And most of them were built by teams sprinting to ship, not sprinting to secure.
The Implication
If you're building AI agents that touch crypto, audit your dependencies now. Know exactly which routers and orchestration layers sit between your code and the models. Assume anything on Hugging Face is compromised until you verify otherwise.
For users: if an AI agent asks for wallet access, treat it like you're handing your keys to a stranger's API. Because functionally, you are. The agent might be trustworthy. The 14 libraries it depends on might not be.
Watch for security tooling companies to emerge around AI agent infrastructure. The first one that ships router verification and execution monitoring will print money.