Trojanized PyPI Package Steals Claude Prompts
A malicious PyPI package named hermes-px masqueraded as a "Secure AI Inference Proxy" while stealing user prompts from Claude and abusing a private university. The title and description do not provide details on scope, timeline, methods, affected users, or remediation.
Key Points
- 1hermes-px PyPI package posed as 'Secure AI Inference Proxy' but exfiltrated Claude prompts
- 2It secretly collected user prompts and involved a private university in the exfiltration process
- 3Developers must vet PyPI dependencies; prompt confidentiality and model-access credentials are at risk
Scoring Rationale
Security-relevant incident: a trojanized PyPI package stole Claude prompts and abused a university, posing risks to prompt confidentiality and dependency trust. The title/description lack details on scale, timeline, affected parties, and technical methods, so assessment is limited.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems