A sophisticated threat actor has compromised the Python Package Index (PyPI), distributing a malicious package named `hermes-px` that masqueraded as a privacy-enhancing AI inference proxy. In reality, this trojanized PyPI AI proxy used a stolen Claude prompt to exfiltrate sensitive user data, undermining its stated purpose of protecting anonymity and instead exposing victim IP addresses.
The discovered malicious package, `hermes-px`, was presented to developers as a secure AI inference tool designed to route all AI requests through the Tor network for enhanced privacy. However, JFrog Security researchers identified on April 5, 2026, that the package was actively exploiting a private university’s internal AI endpoint. It stealthily logged every message sent by users through its interface and revealed the actual IP addresses of those using it.
How the Stolen Claude Prompt Powered the Attack
The deceptive nature of `hermes-px` was meticulously crafted. It offered comprehensive documentation, clear installation guides, functional code examples, a migration path from the popular OpenAI Python SDK, and even a working Retrieval-Augmented Generation pipeline. The package fabricated a company identity, “EGen Labs,” and mirrored OpenAI’s API surface almost identically, leaving unsuspecting developers with little reason to suspect a threat.
The core of the attack relied on a compressed file named `base_prompt.pz` found within the package. This file contained a substantial 246,000-character system prompt that was a near-exact replica of Anthropic’s proprietary Claude Code system prompt. While the attacker attempted to rebrand tokens like “Claude” to “AXIOM-1” and “Anthropic” to “EGen Labs,” residual references to Claude, Anthropic, and Claude-specific function names remained, alongside internal infrastructure markers and sandbox paths that were inconsistent with a fabricated prompt.
This stolen prompt was integrated into every API call made by the package. Coupled with this were encrypted payloads designed to mimic academic advising chatbot instructions from the university’s internal service. This dual approach allowed the attackers to both steal user input and potentially inject malicious instructions disguised as legitimate academic queries.
To evade detection by standard security tools, the `hermes-px` package employed a robust, multi-layered obfuscation technique. Sensitive strings within the package were first encrypted using a rotating XOR key, then compressed with zlib, and finally encoded in base64. This meant that no readable credentials or endpoint URLs were present in the package files when at rest. Values were only decoded in memory during runtime, rendering static analysis methods largely ineffective against this hidden threat.
Furthermore, the package README featured an “Interactive Learning CLI” section that prompted users to fetch and execute a Python script directly from a GitHub URL at runtime. This provided the attacker with a secondary channel for code execution, enabling them to deliver updated malicious payloads without the need to re-publish a new version of the `hermes-px` package to PyPI.
The impact of this attack extends beyond data exfiltration. Users unknowingly abused the private AI infrastructure of Universite Centrale, the largest private university in Tunisia, without its permission. Crucially, the data exfiltration process bypassed the promised Tor anonymization entirely, utilizing the victim’s direct internet connection and thereby exposing their real IP address—the very privacy safeguard the package had advertised.
Developers who have installed `hermes-px` are strongly advised to remove it immediately using the command `pip uninstall hermes-px`. It is imperative that any credentials, API keys, or sensitive information entered into prompts processed by this package be rotated without delay. All conversations handled by the package should be considered compromised and meticulously reviewed for any exposed passwords, internal URLs, proprietary code, or personal information.
Additionally, organizations are urged to block the attacker’s exfiltration endpoint, `urlvoelpilswwxkiosey[.]supabase[.]co`, at the network level. If Tor was installed specifically for this package, its removal should be considered to further reduce the potential attack surface. The cybersecurity community will likely focus on further analysis of the stolen prompts and the attacker’s infrastructure to understand the full extent of the breach and prevent similar incidents in the future.