A security audit of commercial and community API aggregators shows hop-by-hop TLS leaves JSON payloads exposed to intermediary routing nodes, enabling data exfiltration and on-path manipulation. The researchers documented malicious code injection, rapid theft of leaked API keys, and the draining of a honeypot Ethereum wallet, and recommend signed response envelopes and stronger vetting of hubs. #LiteLLM #Ethereum
Keypoints
- API aggregators commonly rely on hop-by-hop TLS, allowing intermediate routing nodes to access plaintext JSON payloads.
- An audit of 28 premium and 400 free hubs found one premium and eight free aggregators actively injecting malicious code.
- Leaked API keys were seized instantly, resulting in ~100 million token consumption, 2.1 billion tokens burned across decoys, and exposure of 99 credentials.
- Researchers observed 17 hubs compromise canary AWS credentials and one aggregator directly stole funds from an Ethereum honeypot, linking these risks to the LiteLLM supply-chain incident.
- Mitigations recommended include signed response envelopes, strict sandboxing and policy-driven gateways for high-privilege tools, and a reputation-based evaluation system for API hubs.
Read More: https://securityonline.info/api-transit-hub-vulnerabilities-llm-security-risks/