AI/ML, Supply chain, Data Security

Malicious PyPI package enables Claude prompt, data compromise

(Adobe Stock)

GBHackers News reports that threat actors have been distributing the illicit PyPI package 'hermes-px' under the guise of an OpenAI-compatible secure AI inference proxy tool to take over a Tunisian university's internal AI endpoint and exfiltrate Anthropic Claude Code prompts and conversations.

Included in the hermes-px package were an API mirroring the legitimate OpenAI Python SDK, RAG pipeline examples, a README file instructing the retrieval and execution of a remote Python script, and comprehensive error handling notes, according to an analysis from the JFrog security research team. Establishing a Hermes client prompts a requests.Session with fake browser headers, with the target URL decrypting to a website mapped to Tunisia's Universite Centrale that features a chat interface protected by Azure WAF.

Also part of the PyPI package was a base_prompt.pz file that decompresses to a 246K-character Claude Code system prompt that has bulk-renamed Claude, Anthropic, and certain modifiers via find-and-replace, as well as a telemetry module that delivered stolen user messages and AI responses to an attacker-controlled Supabase instance. Immediate hermes-px package removal, secret rotation, Supabase exfiltration domain blocking, and Tor removal has been recommended.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds