mal-2026-6561
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (8c77584b4e40db9023ca0b8a90fa1bd611c859ed486f99ca3a7c9a83dbfa9877)
This package presents itself as a redistribution of NVIDIA/skillspector (pyproject Homepage points to github.com/NVIDIA/skillspector and the source carries NVIDIA copyright headers) but ships an added telemetry.py module whose own header notes it is not part of the upstream project. telemetry.py hardcodes DEFAULT_TELEMETRY_ENDPOINT = "https://livekit-agents.xyz/skillspector-telemetry" and is enabled by default (SKILLSPECTOR_TELEMETRY defaults to '1'). On every skillspector CLI invocation, an @app.callback() hook POSTs a payload containing the installer's hostname (platform.node), username (getpass.getuser), current working directory (os.getcwd), a persistent install_id UUID, OS, arch, Python version, and timestamp to that endpoint. The behavior directly contradicts the README's 'Usage telemetry' section, which states that nothing is sent unless an operator explicitly sets SKILLSPECTOR_TELEMETRY_URL and that usernames, hostnames, and environment values are never sent. The destination domain is unrelated to the declared publisher (NVIDIA). Hostname + username + cwd shipped by default to a non-publisher domain whose documentation explicitly disclaims this collection is covert exfiltration of installer identity, not consensual telemetry.
Source: kam193 (3c5f440b1893b0d6aad59302e3cef3c14e1ae5b51b83144474e8126b3d2f9075)
This package is a modified, unofficial version of the Nvidia project (https://github.com/NVIDIA/skillspector). The modification is disguised as telemetry. The project's README describes the telemetry as opt-in, anonymous usage reporting of selected data added by the redistributor. In fact the "telemetry" uses a default domain suggesting (impersonating) it belongs to Nvidia's LiveKit project and exfiltrates full command arguments on every CLI invocation.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-skillspector
Reasons (based on the campaign):
-
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
-
exfiltration-generic
-
dependency-confusion
-
clones-real-package
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "src/skillspector/telemetry.py",
"sha256": "82d282569f9fb87c2ae15f5547385f81d914ed2d1f7a7f8aacf3bd2dc543efdc",
"tlsh": "ad91930ad7526a709bab8665593fc0d0e33265d72e402334f4ac83283fae524e6f16f5"
}
],
"package_integrity": [
{
"filename": "skillspector-2.3.9-py3-none-any.whl",
"hashes": {
"blake2b_256": "8dd8122444c43c9023bbc3690320a36f43facfef9baceda1c092070ecb5f27b8",
"md5": "5ea46a75dce2e1ad0ebba4c59d24f198",
"sha256": "ce63c164c163c1848a7dbbd879d9249f869d2d224e16efa570f07cf8ebf23e7d"
}
},
{
"filename": "skillspector-2.3.9.tar.gz",
"hashes": {
"blake2b_256": "b3855454fe3e2014b537ed0d4283736cc6d2f4de68da38384547db4e37c24e2f",
"md5": "e78157087f8d7dc0902ecc55f3f3c702",
"sha256": "759443aa264a96e32b0725e468e3b6d7df230d0e537493c388f37a66445177aa"
}
}
]
}
},
"package": {
"ecosystem": "PyPI",
"name": "skillspector"
},
"versions": [
"0.0.1",
"0.0.2",
"0.0.3",
"0.0.4",
"2.3.7",
"2.3.8",
"2.3.9",
"2.3.10"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
},
{
"contact": [
"https://github.com/kam193",
"https://bad-packages.kam193.eu/"
],
"name": "Kamil Ma\u0144kowski (kam193)",
"type": "REPORTER"
}
],
"database_specific": {
"iocs": {
"domains": [
"livekit-agents.xyz"
],
"urls": [
"https://livekit-agents.xyz/skillspector-telemetry"
]
},
"malicious-packages-origins": [
{
"id": "pypi/2026-06-skillspector/skillspector",
"import_time": "2026-06-28T22:26:30.226402805Z",
"modified_time": "2026-06-28T21:50:42.968173Z",
"sha256": "939ac54a8a665e3e0c6f1c33a59d8a3afb0d3d2c827c30a701973777cd39ff19",
"source": "kam193",
"versions": [
"0.0.1",
"0.0.2",
"0.0.3",
"0.0.4",
"2.3.7",
"2.3.8",
"2.3.9",
"2.3.10"
]
},
{
"id": "pypi/2026-06-skillspector/skillspector",
"import_time": "2026-06-28T23:28:15.10964739Z",
"modified_time": "2026-06-28T21:50:42.968173Z",
"sha256": "3c5f440b1893b0d6aad59302e3cef3c14e1ae5b51b83144474e8126b3d2f9075",
"source": "kam193",
"versions": [
"0.0.1",
"0.0.2",
"0.0.3",
"0.0.4",
"2.3.7",
"2.3.8",
"2.3.9",
"2.3.10"
]
},
{
"id": "IN-MAL-2026-007905",
"import_time": "2026-07-01T22:02:59.03190481Z",
"modified_time": "2026-07-01T21:06:55Z",
"sha256": "8c77584b4e40db9023ca0b8a90fa1bd611c859ed486f99ca3a7c9a83dbfa9877",
"source": "amazon-inspector",
"versions": [
"2.3.9"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8c77584b4e40db9023ca0b8a90fa1bd611c859ed486f99ca3a7c9a83dbfa9877)\nThis package presents itself as a redistribution of NVIDIA/skillspector (pyproject Homepage points to github.com/NVIDIA/skillspector and the source carries NVIDIA copyright headers) but ships an added telemetry.py module whose own header notes it is not part of the upstream project. telemetry.py hardcodes DEFAULT_TELEMETRY_ENDPOINT = \"https://livekit-agents.xyz/skillspector-telemetry\" and is enabled by default (SKILLSPECTOR_TELEMETRY defaults to \u00271\u0027). On every `skillspector` CLI invocation, an @app.callback() hook POSTs a payload containing the installer\u0027s hostname (platform.node), username (getpass.getuser), current working directory (os.getcwd), a persistent install_id UUID, OS, arch, Python version, and timestamp to that endpoint. The behavior directly contradicts the README\u0027s \u0027Usage telemetry\u0027 section, which states that nothing is sent unless an operator explicitly sets SKILLSPECTOR_TELEMETRY_URL and that usernames, hostnames, and environment values are never sent. The destination domain is unrelated to the declared publisher (NVIDIA). Hostname + username + cwd shipped by default to a non-publisher domain whose documentation explicitly disclaims this collection is covert exfiltration of installer identity, not consensual telemetry.\n\n## Source: kam193 (3c5f440b1893b0d6aad59302e3cef3c14e1ae5b51b83144474e8126b3d2f9075)\nThis package is a modified, unofficial version of the Nvidia project (https://github.com/NVIDIA/skillspector). The modification is disguised as telemetry. The project\u0027s README describes the telemetry as opt-in, anonymous usage reporting of selected data added by the redistributor. In fact the \"telemetry\" uses a default domain suggesting (impersonating) it belongs to Nvidia\u0027s LiveKit project and exfiltrates full command arguments on every CLI invocation.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-skillspector\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - exfiltration-generic\n\n\n - dependency-confusion\n\n\n - clones-real-package\n",
"id": "MAL-2026-6561",
"modified": "2026-07-01T22:04:56Z",
"published": "2026-06-28T21:50:42Z",
"references": [
{
"type": "WEB",
"url": "https://bad-packages.kam193.eu/pypi/package/skillspector"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/skillspector/2.3.9/"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in skillspector (PyPI)"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.