Malicious PyPI Package `hermes-px` Stole AI Prompts and Exposed User Data
Researchers at JFrog uncovered a malicious PyPI package, hermes-px, that posed as a privacy-focused, OpenAI-compatible AI inference proxy while covertly stealing prompts, responses, and users’ real IP addresses. The package impersonated a legitimate SDK from a fictitious company, included polished documentation and RAG examples, and secretly routed conversations to an attacker-controlled Supabase instance. Analysis showed it also decrypted and abused a private AI endpoint at Universite Centrale in Tunisia, protected by Azure WAF, while presenting itself as a secure proxy for AI access.
The package contained a heavily obfuscated payload, a compressed file holding what researchers described as a near-complete copy of Anthropic Claude Code’s proprietary system prompt rebranded in part as AXIOM-1, and a secondary execution path through README instructions that told users to fetch and run a remote Python script from GitHub. JFrog urged affected users to uninstall hermes-px, treat all prompts and conversations sent through it as compromised, rotate credentials and other secrets, and block the identified Supabase exfiltration endpoint; one report also advised removing Tor from impacted environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
JFrog discloses hermes-px campaign and publishes mitigations
JFrog Security publicly reported that hermes-px was malicious, describing its obfuscated payload, telemetry, remote script execution path, and data theft behavior. The researchers advised users to uninstall the package, rotate credentials, treat all conversations as compromised, and block the identified Supabase exfiltration endpoint.
Hermes-px targets Tunisian university AI endpoint and exfiltrates data
The malicious package was used to abuse a private AI endpoint at Universite Centrale in Tunisia while exposing victims' real IP addresses and exfiltrating prompts, conversations, and AI responses to an attacker-controlled Supabase instance. Analysis also found a large compressed prompt appearing to be a near-complete copy of Anthropic Claude Code's system prompt, partially rebranded as 'AXIOM-1.'
Malicious 'hermes-px' package uploaded to PyPI
Threat actors distributed a PyPI package named 'hermes-px' that masqueraded as a privacy-focused, OpenAI-compatible AI inference proxy from a fictitious company called EGen Labs. The package included polished documentation, SDK-like functionality, and instructions that enabled additional remote code execution behavior.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
PyPI에 등록된 가짜 AI 프록시 패키지, 사용자 프롬프트 탈취
blog.alyac.co.kr
Open sourceMalicious PyPI package enables Claude prompt, data compromise | brief | SC Media
scworld.com
Open sourceTrojanized PyPI AI Proxy Uses Stolen Claude Prompt to Exfiltrates Data - Cyber Security News
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Prompt Injection and Trojanized PyPI Package Exposed Secrets in AI Coding Tools
Researchers from Johns Hopkins University showed that a **"comment-and-control"** prompt injection technique could hijack AI coding agents embedded in GitHub workflows, including Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub Copilot Agent. By planting malicious instructions in untrusted GitHub content such as pull request titles, issue text, comments, and hidden HTML, the attackers made the agents follow attacker-controlled directions and exfiltrate secrets through workflow output or GitHub comments. The demonstrations reportedly exposed Anthropic and Gemini API keys, GitHub tokens, and other credentials available in GitHub Actions runners, and the affected vendors paid bug bounties and patched the issue without issuing CVEs or public advisories. Separate research also identified a trojanized PyPI package, **`hermes-px`**, marketed as a privacy-focused AI proxy but designed to steal user prompts and exfiltrate data, including an altered Claude Code system prompt. Together, the findings show that the most immediate risk around AI developer tooling is not only the model itself but the runtime and integration layer, where untrusted repository content, overprivileged CI/CD workflows, and malicious third-party packages can turn coding assistants into secret-leaking supply-chain footholds. Defenders were urged to minimize agent permissions, restrict secret exposure, rotate credentials, prefer short-lived OIDC tokens, and harden GitHub Actions configurations such as `pull_request_target` usage.
Jun 1, 2026
Shai-Hulud Hades Campaign Poisoned 19 PyPI Packages to Steal Developer Secrets
Researchers reported that the **Hades** malware campaign, tied to the broader **Shai-Hulud/Miasma** lineage, poisoned **19 PyPI packages** across **37 malicious releases**, including widely used bioinformatics and science-focused tools. The malicious packages abused Python startup and import mechanisms such as executable `.pth` files and obfuscated `__init__.py` hooks to automatically fetch the **Bun** JavaScript runtime from GitHub and launch an obfuscated stealer payload, often without requiring normal package execution. Investigators said the malware harvested a broad set of secrets from developer workstations and CI/CD environments, including GitHub, npm, PyPI, cloud, Kubernetes, SSH, Docker, and shell-history credentials, while using GitHub repositories, GitHub Actions, and secondary HTTPS channels for exfiltration. Security firms said the operation expands earlier Shai-Hulud tradecraft with **AI-analysis evasion**, hidden prompts intended to mislead LLM-based security tools, payload retrieval from GitHub commits, SSH/SCP-based lateral movement, IDE and AI-assistant backdooring, and destructive components such as a `gh-token-monitor` service. Reporting also linked the campaign to an attempted compromise of the **Pythagora-io/gpt-pilot** project after the maintainer account **LeonOstrez** was breached, although the malicious changes reportedly failed CI checks because formatting and linting rules blocked them. Defenders were urged to rotate exposed secrets, restore from trusted backups, and hunt for indicators including executable `.pth` files, Bun downloads from GitHub, and unusual Python-to-Bun process chains on Linux and macOS systems.
Jun 15, 2026
Trojanized Xinference PyPI Releases Deployed a Multi-Stage Credential Stealer
Three consecutive `xinference` releases on PyPI—`2.6.0`, `2.6.1`, and `2.6.2`—were compromised with malicious code injected into `xinference/__init__.py`, causing a payload to run on import before the packages were yanked by maintainers. Researchers said the trojanized package launched a detached Python subprocess that decoded and executed a multi-stage stealer, with later versions refining the injection to make it less obvious while preserving the same second-stage collector. JFrog and StepSecurity linked the activity to the broader **TeamPCP** campaign based on payload structure, actor markers, and tradecraft, though JFrog noted the group publicly denied involvement and claimed a copycat reused its name and tooling. The malware harvested SSH keys, cloud credentials, Kubernetes tokens, package manager secrets, environment files, TLS keys, developer secrets, and cryptocurrency wallets, and included AWS-focused logic to query instance metadata and enumerate secrets-related services. Stolen data was archived as `love.tar.gz` and exfiltrated to `whereisitat.lucyatemysuperbox.space` using a POST request with the custom header `X-QT-SR: 14`; StepSecurity said its Harden-Runner blocked the outbound transfer in testing. Security firms advised organizations to treat any host that installed or imported the affected versions as fully compromised, rotate all accessible credentials, audit logs for misuse, and rebuild impacted environments from a trusted baseline.
Apr 28, 2026