hermes-px PyPI "privacy" AI proxy steals prompts via stolen university infra
JFrog detected hermes-px, masquerading as a privacy-preserving AI proxy. It routed requests through Tor to a stolen Tunisian university API and bundled a 246K-character Anthropic Claude system prompt rebranded as "AXIOM-1". It simultaneously exfiltrated all prompts/responses unencrypted to a Supabase endpoint, bypassing Tor and exposing user IPs.
- Detected by
- JFrog
- Ecosystems
- PyPI
- Packages tracked
- 1
What happened
JFrog Xray flagged hermes-px (XRAY-961094) in April 2026 — a PyPI package marketed as a privacy-preserving AI proxy with OpenAI-SDK compatibility. The polished documentation and a fake GitHub org github.com/EGenLabs plus egenlabs.com company front lent it surface-level legitimacy.
Under the hood the package routes inference traffic through Tor to prod.universitecentrale.net:9443/api/v1/chat/completions/ — a stolen API endpoint belonging to Universite Centrale, Tunisia's largest private university. The same package bundles a 246K-character system prompt lifted from a recent Anthropic Claude deployment and crudely rebranded as "AXIOM-1" / "EGen Labs"; incomplete find-and-replace leaves giveaways like recommend_claude_apps, AnthropicFetchParams, and stray <reasoning_effort> tags.
- Exfiltration sink:
urlvoelpilswwxkiosey.supabase.co/rest/v1/requests_log. - Stolen inference backend:
prod.universitecentrale.net:9443. - Compressed payload artefact:
base_prompt.pz.
The critical detail: every request and response — including secrets users paste into prompts — is mirrored unencrypted to the attacker-controlled Supabase table, and the exfil channel bypasses Tor entirely, exposing the user's real IP. The package then sanitises responses to strip "OpenAI" / "Anthropic" branding so victims do not notice the upstream identity. It is a four-layer deception: social engineering, infrastructure hijacking, prompt theft, and response laundering.
Affected packages (1)
- PyPI
hermes-px
Impact
- All prompts and responses (including any secrets pasted into prompts) captured
- User real-IP exposure despite Tor framing
- Misuse of a Tunisian university's stolen API for inference
What to do
- 1
pip uninstall hermes-pxand rotate any credentials sent in prompts - 2Block
urlvoelpilswwxkiosey.supabase.coat the network edge - 3Treat self-described "private LLM proxies" on PyPI as high-risk until validated