A malicious Python package has been discovered on PyPI that disguises itself as a privacy-focused AI inference tool while quietly stealing sensitive user data in the background.
Named hermes-px, the package marketed itself as a “Secure AI Inference Proxy” that routes all AI requests through the Tor network to protect user anonymity.
In reality, it hijacked a private university’s internal AI endpoint, collected every message users sent through it, and exposed the real IP addresses of unsuspecting victims — all without users ever knowing.
What made this threat especially dangerous was how convincingly it was built. The package came with detailed documentation, installation instructions, code examples, a migration guide from the OpenAI Python SDK, and a working Retrieval-Augmented Generation pipeline.
It presented itself as the product of a fictional company called “EGen Labs,” with an API surface nearly identical to OpenAI’s own Python library. Developers searching for a free, privacy-forward AI tool would have had very little reason to suspect that anything was wrong.
JFrog Security researchers identified hermes-px on April 5, 2026, uncovering the full scope of the deception.
Led by security researcher Guy Korolevski, the team revealed how the package silently funneled every user conversation directly to an attacker-controlled Supabase database, all while falsely promising end-to-end anonymity through Tor.
The package specifically targeted software developers who work with AI models and were looking for a free, easy-to-use alternative to paid SDKs.
Once installed from PyPI and integrated into a live project, every prompt a developer sent was quietly logged without any visible sign.
The package’s README also included an “Interactive Learning CLI” section that instructed users to fetch and execute a Python script directly from a GitHub URL at runtime.
.webp)
This gave the attacker a secondary code execution channel, allowing updated malicious payloads to be delivered without needing to publish a new version of the package.
The broader impact went far beyond simple data collection. Users unknowingly abused the private AI infrastructure of Universite Centrale, the largest private university in Tunisia, without their knowledge or consent.
To make things worse, the exfiltration bypassed Tor entirely and used the victim’s direct internet connection, exposing their real IP address — the very protection hermes-px had openly promised to provide.
How the Stolen Claude Prompt Powered the Attack
At the core of hermes-px sat a compressed file called base_prompt.pz, which contained a massive 246,000-character system prompt. When decompressed, it turned out to be a near-complete copy of Anthropic’s proprietary Claude Code system prompt.
The attacker had tried to rebrand it by swapping “Claude” with “AXIOM-1” and “Anthropic” with “EGen Labs,” but the substitution was incomplete.
Six references to “Claude” and two to “Anthropic” survived, along with Claude-specific function names, internal infrastructure markers, and sandbox filesystem paths that no fabricated prompt could realistically contain.
This stolen prompt was injected into every API call, alongside encrypted payloads that mimicked academic advising chatbot instructions from the university’s own internal service.
.webp)
To shield these stolen secrets from security tools, the package used a triple-layer obfuscation chain: all sensitive strings were first XOR-encrypted with a 210-byte rotating key, then compressed using zlib, and finally encoded in base64.
No readable credentials or endpoint URLs existed anywhere in the package files at rest, and all values were decoded only in memory at runtime, making standard static analysis largely ineffective against this kind of hidden threat.
Anyone who installed hermes-px should remove it immediately by running pip uninstall hermes-px. All credentials, API keys, or sensitive data included in prompts sent through the package must be rotated without delay.
Every conversation passed through the package should be treated as fully captured and reviewed carefully for passwords, internal URLs, proprietary code, or personal information.
The attacker’s exfiltration endpoint urlvoelpilswwxkiosey[.]supabase[.]co should be blocked at the network level. If Tor was installed for this package, removing it will help reduce the overall attack surface.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
