The JFrog security research team has found a complex and harmful PyPI package called Hermes-px. It is sold as a "Secure AI Inference Proxy" that sends OpenAI-compatible requests through the Tor network to keep them private, but it is really a very complicated trap. The package takes over an AI endpoint at a private university, adds a stolen and renamed Anthropic Claude system prompt, and sends every user prompt directly to the attacker.
It looks like a product from the made-up company EGen Labs and has an API surface that is similar to the OpenAI Python SDK. The exfiltration module is the most harmful part because it works completely outside of the Tor proxy. The attacker gets the victim's real IP address because it doesn't go through Tor, which goes against the tool's promise of anonymity.
A triple-layer encryption pipeline keeps sensitive strings safe from static security scanners. If you use hermes-px, you should uninstall it right away, change any exposed passwords, and treat all data that is sent as compromised. It is very well made to get developers to use it in real projects.
It comes with complete documentation, installation instructions, code samples, guides for handling errors, and even a working Retrieval-Augmented Generation (RAG) pipeline. It gives developers free AI inference without needing API keys, but it secretly logs their data and shows their real IP addresses while using stolen infrastructure.
