Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
July 2, 2026
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Alleged Scattered Spider Member Extradited to US for 100+ Network Hacks
July 2, 2026
Home/Threats/Critical PyPI Vulnerability Steals Claude Prompts, Exfiltrates Data
Threats

Critical PyPI Vulnerability Steals Claude Prompts, Exfiltrates Data

Key Takeaways A malicious Python package, hermes-px, was discovered on PyPI, posing as a secure AI inference proxy. The package secretly exfiltrated sensitive user data, including AI prompts and user...

David kimber
David kimber
April 6, 2026 4 Min Read
35 0

Key Takeaways

  • A malicious Python package, hermes-px, was discovered on PyPI, posing as a secure AI inference proxy.
  • The package secretly exfiltrated sensitive user data, including AI prompts and user IP addresses, to an attacker-controlled database.
  • It leveraged a stolen proprietary system prompt from Anthropic’s Claude AI and exploited the private AI infrastructure of a Tunisian university.
  • The threat was highly sophisticated, featuring detailed documentation, obfuscation techniques, and a secondary code execution channel.
  • Users who installed hermes-px must immediately remove it, rotate credentials, and block the attacker’s exfiltration endpoint.

Sophisticated Malicious PyPI Package Exfiltrates AI Prompts and User Data

A cunningly crafted malicious Python package, identified on PyPI, has been found to covertly extract sensitive user information, including AI prompts and real IP addresses, while posing as a privacy-enhancing AI tool. The package, named hermes-px, marketed itself as a “Secure AI Inference Proxy” designed to route AI requests through the Tor network, promising enhanced user anonymity.

Table Of Content

  • Key Takeaways
  • Sophisticated Malicious PyPI Package Exfiltrates AI Prompts and User Data
  • Deceptive Design and Operational Mechanics
  • How the Stolen Claude Prompt Powered the Attack
  • What You Should Do

In reality, hermes-px redirected user queries through a private AI endpoint belonging to Universite Centrale, Tunisia’s largest private university, without authorization. It systematically collected every message transmitted through this service and exposed the actual IP addresses of its unsuspecting users, directly contradicting its privacy claims.

Deceptive Design and Operational Mechanics

The package’s dangerous efficacy stemmed from its convincing presentation. It included comprehensive documentation, detailed installation guides, practical code examples, and even a migration pathway for developers accustomed to the OpenAI Python SDK. Furthermore, it incorporated a functional Retrieval-Augmented Generation (RAG) pipeline.

hermes-px was presented as a product of a fictitious entity, “EGen Labs,” featuring an API surface that closely mirrored OpenAI’s Python library. This elaborate facade was designed to deceive developers seeking a free, privacy-focused AI solution, leaving little to no reason for suspicion.

JFrog Security researchers, spearheaded by Guy Korolevski, detected hermes-px on April 5, 2026. Their investigation uncovered the full extent of the package’s deceptive operations, revealing how it silently forwarded all user conversations to a Supabase database under attacker control, all while falsely guaranteeing end-to-end anonymity via Tor.

The package specifically targeted software developers engaged with AI models who were looking for cost-free and user-friendly alternatives to commercial SDKs. Upon installation from PyPI and integration into a live project, every prompt issued by a developer was surreptitiously logged without any overt indicators.

Compounding the threat, the package’s README file contained an “Interactive Learning CLI” section. This section instructed users to fetch and execute a Python script directly from a GitHub URL at runtime, establishing a secondary channel for code execution. This mechanism allowed the attackers to deploy updated malicious payloads without the need to publish new versions of the package to PyPI.

The ramifications of this attack extended beyond mere data collection. Users unknowingly exploited the private AI infrastructure of Universite Centrale. Moreover, the data exfiltration completely bypassed Tor, leveraging the victim’s direct internet connection and thereby exposing their real IP address—the very information hermes-px purported to safeguard.

How the Stolen Claude Prompt Powered the Attack

A critical component of hermes-px was a compressed file named base_prompt.pz. This file, when decompressed, revealed a substantial 246,000-character system prompt that was nearly an exact replica of Anthropic’s proprietary Claude Code system prompt.

The attackers had attempted to rebrand this prompt by replacing “Claude” with “AXIOM-1” and “Anthropic” with “EGen Labs.” However, this substitution was incomplete, leaving six instances of “Claude” and two of “Anthropic” intact. The prompt also contained Claude-specific function names, internal infrastructure markers, and sandbox filesystem paths, details that would not be present in a genuinely fabricated prompt. This pilfered prompt was then injected into every API call, alongside encrypted payloads designed to mimic academic advising chatbot instructions from the university’s internal service.

To evade detection by security tools, the package employed a sophisticated triple-layer obfuscation strategy. All sensitive strings were initially XOR-encrypted using a 210-byte rotating key, then compressed with zlib, and finally encoded in base64. Consequently, no readable credentials or endpoint URLs were present in the package files at rest; all values were decoded only in memory during runtime, rendering conventional static analysis largely ineffective against this hidden threat.

What You Should Do

  • Immediate Uninstallation: If you have installed hermes-px, remove it without delay by executing pip uninstall hermes-px.
  • Credential Rotation: Promptly rotate all credentials, API keys, and sensitive data that may have been included in prompts sent through the compromised package.
  • Conversation Review: Treat every conversation passed through hermes-px as fully compromised. Review these interactions carefully for any exposed passwords, internal URLs, proprietary code, or personal information.
  • Network Blocking: Block the attacker’s exfiltration endpoint, urlvoelpilswwxkiosey[.]supabase[.]co, at your network’s firewall or proxy level.
  • Tor Removal: If Tor was installed specifically for use with this package, consider removing it to reduce your overall attack surface.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

GitHub Actions Attack Chain Exposes Secrets and Tokens

Next Post

Drift Protocol Loses $286M in Suspected North Korean Cyberattack

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us