Sophisticated PyPI Package *hermes-px* Exfiltrates User Data via Stolen AI Infrastructure
Security researchers at JFrog have identified a highly deceptive malicious package on PyPI, hermes-px, designed to steal user data under the guise of a secure AI proxy. Marketed as a tool for anonymous OpenAI-compatible requests routed through Tor, the package instead hijacks a private university’s AI endpoint, repurposes a stolen Anthropic Claude system prompt, and exfiltrates user prompts directly to attackers.
Unlike typical malicious packages, hermes-px is meticulously crafted to appear legitimate, featuring detailed documentation, code examples, error-handling guides, and a functional Retrieval-Augmented Generation (RAG) pipeline. It mimics the OpenAI Python SDK’s API surface and claims affiliation with a fictional company, EGen Labs, to encourage integration into real projects. However, its README instructs users to execute arbitrary Python code from a now-removed GitHub repository, enabling dynamic payload updates.
At its core, the package contains a compressed 246,000-character file, base_prompt.pz, which reveals a near-complete copy of a leaked Anthropic Claude system prompt. Attackers attempted to rebrand it as AXIOM-1 under EGen Labs, but incomplete modifications left traces of its original source. The package sanitizes AI responses to replace references to OpenAI or ChatGPT with EGen Labs, reinforcing the deception.
The most damaging component is its exfiltration module, which bypasses Tor entirely. While AI inference requests are routed through Tor to obscure the abuse of the university’s endpoint, telemetry including unmodified user prompts, full AI responses, and real IP addresses is sent directly to an attacker-controlled Supabase database. Sensitive strings, such as database credentials and target URLs, are protected by triple-layer encryption to evade detection.
JFrog’s findings highlight the package’s ability to undermine its own promised anonymity while silently harvesting sensitive data from unsuspecting developers.
Source: https://cyberpress.org/trojanized-pypi-proxy-steals/
eGen cybersecurity rating report: https://www.rankiteo.com/company/egen
"id": "EGE1775651570",
"linkid": "egen",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'Education',
'name': 'Private University (unnamed)',
'type': 'Educational Institution'},
{'industry': 'Technology, Software Development',
'location': 'Global',
'name': 'Developers integrating *hermes-px*',
'type': 'Individuals/Organizations'}],
'attack_vector': 'Supply Chain Attack (PyPI Package)',
'data_breach': {'data_encryption': 'Triple-layer encryption for sensitive '
'strings (e.g., database credentials)',
'data_exfiltration': True,
'file_types_exposed': ['Python scripts',
'Compressed prompt files (*.pz*)'],
'personally_identifiable_information': 'IP addresses',
'sensitivity_of_data': 'High (sensitive AI interactions, '
'personally identifiable information '
'like IP addresses)',
'type_of_data_compromised': ['User prompts',
'AI responses',
'IP addresses']},
'description': 'Security researchers at JFrog have identified a highly '
'deceptive malicious package on PyPI, *hermes-px*, designed to '
'steal user data under the guise of a secure AI proxy. '
'Marketed as a tool for anonymous OpenAI-compatible requests '
'routed through Tor, the package instead hijacks a private '
'university’s AI endpoint, repurposes a stolen Anthropic '
'Claude system prompt, and exfiltrates user prompts directly '
'to attackers.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for '
'developers and organizations using the '
'malicious package',
'data_compromised': 'User prompts, AI responses, real IP addresses',
'identity_theft_risk': 'High (IP addresses and sensitive prompts '
'exfiltrated)',
'operational_impact': 'Potential compromise of sensitive AI '
'interactions and developer data',
'systems_affected': 'AI inference systems, developer environments '
'integrating *hermes-px*'},
'initial_access_broker': {'backdoors_established': 'Dynamic payload updates '
'via GitHub repository',
'entry_point': 'PyPI package (*hermes-px*)',
'high_value_targets': 'Developers integrating AI '
'tools, organizations using '
'OpenAI-compatible APIs'},
'investigation_status': 'Identified and disclosed by JFrog',
'lessons_learned': 'Malicious packages can be highly deceptive, mimicking '
'legitimate tools with detailed documentation and '
'functional features. Dynamic payload updates and stolen '
'infrastructure can amplify their impact. Developers must '
'verify package authenticity and scrutinize dependencies.',
'motivation': 'Data Theft, Intellectual Property Harvesting',
'post_incident_analysis': {'corrective_actions': ['Remove *hermes-px* from '
'PyPI',
'Notify affected developers '
'and organizations',
'Enhance PyPI package '
'vetting processes',
'Improve detection of '
'malicious packages with '
'dynamic payloads'],
'root_causes': ['Lack of verification for PyPI '
'package authenticity',
'Social engineering (legitimate '
'appearance of *hermes-px*)',
'Abuse of stolen AI infrastructure '
'(university endpoint, Anthropic '
'Claude prompt)',
'Dynamic payload updates enabling '
'evasion of detection']},
'recommendations': ['Verify PyPI package authenticity before integration',
'Scrutinize dependencies for unusual behavior or dynamic '
'payloads',
'Monitor for unauthorized data exfiltration in AI '
'interactions',
'Implement strict supply chain security measures',
'Educate developers on social engineering risks in '
'open-source packages'],
'references': [{'source': 'JFrog Security Research'}],
'response': {'third_party_assistance': 'JFrog (Security Research)'},
'title': 'Sophisticated PyPI Package *hermes-px* Exfiltrates User Data via '
'Stolen AI Infrastructure',
'type': 'Malicious Package / Data Exfiltration',
'vulnerability_exploited': 'Social Engineering (Legitimate Appearance), '
'Dynamic Payload Updates, Stolen AI Infrastructure'}