Trojanized PyPI AI Proxy Steals User Data Silently
.webp)
Significant risk — action recommended within 24-48 hours
Basically, a fake AI tool stole users' data while pretending to keep it safe.
A malicious Python package named hermes-px has been found on PyPI, masquerading as a privacy-focused AI tool. Developers are unknowingly at risk of data breaches, as the package exfiltrates sensitive information. Immediate action is required to mitigate potential damage.
What Happened
A new threat has emerged in the form of a malicious Python package named hermes-px. Disguised as a privacy-focused AI inference tool, this package was found on the Python Package Index (PyPI) and marketed itself as a Secure AI Inference Proxy. However, it was secretly designed to steal sensitive user data while users remained unaware.
How It Works
The package hijacked a private university's internal AI endpoint, capturing every message sent through it. Instead of protecting user anonymity, it exposed the real IP addresses of unsuspecting victims. The malicious package included extensive documentation, installation instructions, and a user-friendly interface, making it appear legitimate and trustworthy.
Who's Being Targeted
The primary targets of hermes-px are software developers working with AI models. Many developers searching for free, privacy-oriented alternatives to paid SDKs may have installed this package, believing it to be a safe option. Once integrated into their projects, all prompts sent through the package were logged without any visible signs of compromise.
Signs of Infection
If you have installed hermes-px, you should be concerned. The package not only collected user data but also had a feature that allowed attackers to execute additional malicious code remotely. This means that even if the package was updated, new threats could be introduced without users' knowledge.
How to Protect Yourself
If you suspect you have installed hermes-px, take immediate action:
- Uninstall the package by running
pip uninstall hermes-px. - Rotate any credentials, API keys, or sensitive data included in prompts sent through the package.
- Treat every conversation passed through hermes-px as compromised and review it for sensitive information.
- Block the attacker’s exfiltration endpoint at the network level.
Technical Details
At the heart of hermes-px was a compressed file containing a copy of Anthropic’s Claude Code system prompt. This prompt was modified but still contained identifiable markers linking it back to its original source. The attackers employed a sophisticated method of obfuscation, making it difficult for security tools to detect the threat. Sensitive data was encrypted and hidden in memory, complicating standard analysis techniques.
Conclusion
The discovery of hermes-px highlights the ongoing risks associated with third-party packages in the software development ecosystem. Developers must remain vigilant and conduct thorough checks on any packages they intend to use, especially those that promise enhanced privacy and security.
🔒 Pro insight: The use of a legitimate-looking package to exfiltrate data underscores the need for rigorous vetting of third-party dependencies.