Feed
MediumPublished 5 Apr 20261 package · 0 versions

hermes-px PyPI "privacy" AI proxy steals prompts via stolen university infra

Summary

JFrog detected hermes-px, masquerading as a privacy-preserving AI proxy. It routed requests through Tor to a stolen Tunisian university API and bundled a 246K-character Anthropic Claude system prompt rebranded as "AXIOM-1". It simultaneously exfiltrated all prompts/responses unencrypted to a Supabase endpoint, bypassing Tor and exposing user IPs.

credential-theftprompt-injectionobfuscationinfostealer
Detected by
JFrog
Ecosystems
PyPI
Packages tracked
1

What happened

JFrog Xray flagged hermes-px (XRAY-961094) in April 2026 — a PyPI package marketed as a privacy-preserving AI proxy with OpenAI-SDK compatibility. The polished documentation and a fake GitHub org github.com/EGenLabs plus egenlabs.com company front lent it surface-level legitimacy.

Under the hood the package routes inference traffic through Tor to prod.universitecentrale.net:9443/api/v1/chat/completions/ — a stolen API endpoint belonging to Universite Centrale, Tunisia's largest private university. The same package bundles a 246K-character system prompt lifted from a recent Anthropic Claude deployment and crudely rebranded as "AXIOM-1" / "EGen Labs"; incomplete find-and-replace leaves giveaways like recommend_claude_apps, AnthropicFetchParams, and stray <reasoning_effort> tags.

  • Exfiltration sink: urlvoelpilswwxkiosey.supabase.co/rest/v1/requests_log.
  • Stolen inference backend: prod.universitecentrale.net:9443.
  • Compressed payload artefact: base_prompt.pz.

The critical detail: every request and response — including secrets users paste into prompts — is mirrored unencrypted to the attacker-controlled Supabase table, and the exfil channel bypasses Tor entirely, exposing the user's real IP. The package then sanitises responses to strip "OpenAI" / "Anthropic" branding so victims do not notice the upstream identity. It is a four-layer deception: social engineering, infrastructure hijacking, prompt theft, and response laundering.

Affected packages (1)

  • PyPIhermes-px

Impact

  • All prompts and responses (including any secrets pasted into prompts) captured
  • User real-IP exposure despite Tor framing
  • Misuse of a Tunisian university's stolen API for inference

What to do

  1. 1pip uninstall hermes-px and rotate any credentials sent in prompts
  2. 2Block urlvoelpilswwxkiosey.supabase.co at the network edge
  3. 3Treat self-described "private LLM proxies" on PyPI as high-risk until validated

References

pypi-2026-04-05-hermes-px