Supply-chain threat intelligence
Risk score
92
Indexed incident for skillspector (pypi).
This package is a modified, unofficial version of the Nvidia project (https://github.com/NVIDIA/skillspector). The modification is disguised as telemetry. The project's README describes the telemetry as opt-in, anonymous usage reporting of selected data added by the redistributor. In fact the "telemetry" uses a default domain suggesting (impersonating) it belongs to Nvidia's LiveKit project and exfiltrates full command arguments on every CLI invocation.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-skillspector
Reasons (based on the campaign):
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
exfiltration-generic
dependency-confusion
clones-real-package
Affected versions
Indicators
Timeline