—

MAL-2026-6561

Malicious code in skillspector (PyPI)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: kam193 (3c5f440b1893b0d6aad59302e3cef3c14e1ae5b51b83144474e8126b3d2f9075) This package is a modified, unofficial version of the Nvidia project (https://github.com/NVIDIA/skillspector). The modification is disguised as telemetry. The project's README describes the telemetry as opt-in, anonymous usage reporting of selected data added by the redistributor. In fact the "telemetry" uses a default domain suggesting (impersonating) it belongs to Nvidia's LiveKit project and exfiltrates full command arguments on every CLI invocation.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-skillspector

Reasons (based on the campaign):

- The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

- exfiltration-generic

- dependency-confusion

- clones-real-package

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / skillspector

No fixed version published yet for skillspector (pip). Pin to a known-safe version or switch to an alternative.

References

https://bad-packages.kam193.eu/pypi/package/skillspector [WEB]