GBHackers News reports that threat actors have been distributing the illicit PyPI package 'hermes-px' under the guise of an OpenAI-compatible secure AI inference proxy tool to take over a Tunisian university's internal AI endpoint and exfiltrate Anthropic Claude Code prompts and conversations.Included in the hermes-px package were an API mirroring the legitimate OpenAI Python SDK, RAG pipeline examples, a README file instructing the retrieval and execution of a remote Python script, and comprehensive error handling notes, according to an analysis from the JFrog security research team. Establishing a Hermes client prompts a requests.Session with fake browser headers, with the target URL decrypting to a website mapped to Tunisia's Universite Centrale that features a chat interface protected by Azure WAF.Also part of the PyPI package was a base_prompt.pz file that decompresses to a 246K-character Claude Code system prompt that has bulk-renamed Claude, Anthropic, and certain modifiers via find-and-replace, as well as a telemetry module that delivered stolen user messages and AI responses to an attacker-controlled Supabase instance. Immediate hermes-px package removal, secret rotation, Supabase exfiltration domain blocking, and Tor removal has been recommended.
AI/ML, Supply chain, Data Security
Malicious PyPI package enables Claude prompt, data compromise

(Adobe Stock)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



