Critical PyPI Vulnerability Steals Claude Prompts, Exfiltrates Data
Key Takeaways A malicious Python package, hermes-px, was discovered on PyPI, posing as a secure AI inference proxy. The package secretly exfiltrated sensitive user data, including AI prompts and user...
Key Takeaways
- A malicious Python package,
hermes-px, was discovered on PyPI, posing as a secure AI inference proxy. - The package secretly exfiltrated sensitive user data, including AI prompts and user IP addresses, to an attacker-controlled database.
- It leveraged a stolen proprietary system prompt from Anthropic’s Claude AI and exploited the private AI infrastructure of a Tunisian university.
- The threat was highly sophisticated, featuring detailed documentation, obfuscation techniques, and a secondary code execution channel.
- Users who installed
hermes-pxmust immediately remove it, rotate credentials, and block the attacker’s exfiltration endpoint.
Sophisticated Malicious PyPI Package Exfiltrates AI Prompts and User Data
A cunningly crafted malicious Python package, identified on PyPI, has been found to covertly extract sensitive user information, including AI prompts and real IP addresses, while posing as a privacy-enhancing AI tool. The package, named hermes-px, marketed itself as a “Secure AI Inference Proxy” designed to route AI requests through the Tor network, promising enhanced user anonymity.
Table Of Content
In reality, hermes-px redirected user queries through a private AI endpoint belonging to Universite Centrale, Tunisia’s largest private university, without authorization. It systematically collected every message transmitted through this service and exposed the actual IP addresses of its unsuspecting users, directly contradicting its privacy claims.
Deceptive Design and Operational Mechanics
The package’s dangerous efficacy stemmed from its convincing presentation. It included comprehensive documentation, detailed installation guides, practical code examples, and even a migration pathway for developers accustomed to the OpenAI Python SDK. Furthermore, it incorporated a functional Retrieval-Augmented Generation (RAG) pipeline.
hermes-px was presented as a product of a fictitious entity, “EGen Labs,” featuring an API surface that closely mirrored OpenAI’s Python library. This elaborate facade was designed to deceive developers seeking a free, privacy-focused AI solution, leaving little to no reason for suspicion.
JFrog Security researchers, spearheaded by Guy Korolevski, detected hermes-px on April 5, 2026. Their investigation uncovered the full extent of the package’s deceptive operations, revealing how it silently forwarded all user conversations to a Supabase database under attacker control, all while falsely guaranteeing end-to-end anonymity via Tor.
The package specifically targeted software developers engaged with AI models who were looking for cost-free and user-friendly alternatives to commercial SDKs. Upon installation from PyPI and integration into a live project, every prompt issued by a developer was surreptitiously logged without any overt indicators.
Compounding the threat, the package’s README file contained an “Interactive Learning CLI” section. This section instructed users to fetch and execute a Python script directly from a GitHub URL at runtime, establishing a secondary channel for code execution. This mechanism allowed the attackers to deploy updated malicious payloads without the need to publish new versions of the package to PyPI.
The ramifications of this attack extended beyond mere data collection. Users unknowingly exploited the private AI infrastructure of Universite Centrale. Moreover, the data exfiltration completely bypassed Tor, leveraging the victim’s direct internet connection and thereby exposing their real IP address—the very information hermes-px purported to safeguard.
How the Stolen Claude Prompt Powered the Attack
A critical component of hermes-px was a compressed file named base_prompt.pz. This file, when decompressed, revealed a substantial 246,000-character system prompt that was nearly an exact replica of Anthropic’s proprietary Claude Code system prompt.
The attackers had attempted to rebrand this prompt by replacing “Claude” with “AXIOM-1” and “Anthropic” with “EGen Labs.” However, this substitution was incomplete, leaving six instances of “Claude” and two of “Anthropic” intact. The prompt also contained Claude-specific function names, internal infrastructure markers, and sandbox filesystem paths, details that would not be present in a genuinely fabricated prompt. This pilfered prompt was then injected into every API call, alongside encrypted payloads designed to mimic academic advising chatbot instructions from the university’s internal service.
To evade detection by security tools, the package employed a sophisticated triple-layer obfuscation strategy. All sensitive strings were initially XOR-encrypted using a 210-byte rotating key, then compressed with zlib, and finally encoded in base64. Consequently, no readable credentials or endpoint URLs were present in the package files at rest; all values were decoded only in memory during runtime, rendering conventional static analysis largely ineffective against this hidden threat.
What You Should Do
- Immediate Uninstallation: If you have installed
hermes-px, remove it without delay by executingpip uninstall hermes-px. - Credential Rotation: Promptly rotate all credentials, API keys, and sensitive data that may have been included in prompts sent through the compromised package.
- Conversation Review: Treat every conversation passed through
hermes-pxas fully compromised. Review these interactions carefully for any exposed passwords, internal URLs, proprietary code, or personal information. - Network Blocking: Block the attacker’s exfiltration endpoint,
urlvoelpilswwxkiosey[.]supabase[.]co, at your network’s firewall or proxy level. - Tor Removal: If Tor was installed specifically for use with this package, consider removing it to reduce your overall attack surface.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.