`livekit-agents` (npm) + `skillspector` (PyPI) — coordinated multi-ecosystem typosquat exfiltrating to `livekit-agents.xyz`
Between 2026-06-27 and 2026-06-28 a single operator published a coordinated multi-ecosystem typosquat campaign exfiltrating to the lookalike domain livekit-agents.xyz. Unscoped livekit-agents on npm (10 versions, four of them flagged malicious) impersonates the LiveKit Agents SDK while beaconing host telemetry. The PyPI package skillspector (8 versions) — an unauthorized fork of a legitimate Nvidia project — exfiltrates every CLI argument to https://livekit-agents.xyz/skillspector-telemetry. The shared lookalike domain ties both packages to the same operator.
- Detected by
- Amazon Inspector · OpenSSF Package Analysis · Kamil Mańkowski (kam193)
- Also known as
- livekit-agents.xyz typosquat campaign
- Ecosystems
- npmPyPI
- Packages tracked
- 2
What happened
Between 2026-06-27 19:26 UTC and 2026-06-28 22:19 UTC, the npm account yontrump123 (yontrump123@gmail.com) published 10 versions of the unscoped npm package livekit-agents — 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.4, and 0.3.5. Amazon Inspector and OpenSSF Package Analysis flagged versions 0.3.0, 0.3.1, 0.3.2, and 0.3.4 as malicious (MAL-2026-6555); the earlier 0.1.x / 0.2.x releases are empty namespace squats positioning the operator to publish under the visible name.
livekit-agents (npm) — telemetry beacon and pre-positioned postinstall
The published versions falsely advertise the package as "the official LiveKit Agents SDK" and link out to legitimate livekit.io documentation, but the actual implementation is a stub. The bundled CLI unconditionally fetch-es https://livekit-agents.xyz/api/metrics with node version, platform, and architecture as a JSON payload — with no documentation of the call and no opt-out flag. The package.json additionally declares a postinstall script slot, but the script file is currently absent from the tarball. The OSV record flags this absent-script declaration as a "pre-positioned attack vector" — a republish under the same maintainer can drop a malicious payload into the postinstall slot without changing the consumer-visible package.json contract, hitting every existing ^0.3.x consumer on the next npm install.
skillspector (PyPI) — Nvidia project forked into a CLI-argv exfiltrator
A second package under the same operator profile — skillspector on PyPI, across 0.0.1, 0.0.2, 0.0.3, 0.0.4, 2.3.7, 2.3.8, 2.3.9, 2.3.10 — is an unauthorized fork of Nvidia's official skillspector project. The original README's "opt-in, anonymous usage reporting" line is preserved verbatim in the malicious fork, but the bundled code unconditionally captures the full sys.argv of every CLI invocation, along with host IP address and username, and POSTs the payload to https://livekit-agents.xyz/skillspector-telemetry. Because argv is captured on every invocation, command-line tokens (database URLs, model paths, API keys passed via --key=...) leak to the operator each time a CLI subcommand runs. CIRCL identifier MAL-2026-6561.
Shared infrastructure ties the campaign together
The lookalike domain livekit-agents.xyz is the linchpin. LiveKit's legitimate infrastructure lives at livekit.io / agents.livekit.io; Nvidia's skillspector is a separate project; there is no plausible reason for an Nvidia AI-skills tool to telemetry-report to a LiveKit-themed third-party lookalike. The shared host across two distinct package ecosystems — npm and PyPI — under two different maintainer profiles, identified within a 24-hour window, indicates a coordinated cross-ecosystem typosquat operation rather than two independent attacks. Anyone exposed to one package should treat the other as a likely follow-on target on the same host.
Disclosure timeline
- 2026-06-27 19:26–21:28 UTC —
livekit-agents@{0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2}published on npm byyontrump123. - 2026-06-28 20:49–22:19 UTC —
livekit-agents@{0.3.4, 0.3.5}published. - 2026-06-28 — Amazon Inspector flags
livekit-agents@{0.3.0,0.3.1,0.3.2,0.3.4}; OSSF publishesMAL-2026-6555. - 2026-06-28 — OSSF publishes
MAL-2026-6561forskillspector(PyPI), reported by Kamil Mańkowski (kam193); evidence on VirusTotal.
Affected packages (2)
- npm
livekit-agents0.3.00.3.10.3.20.3.4 - PyPI
skillspector0.0.10.0.20.0.30.0.42.3.72.3.82.3.92.3.10
Impact
livekit-agents@{0.3.0,0.3.1,0.3.2,0.3.4}(npm) — falsely advertises itself as "the official LiveKit Agents SDK" while linking to legitimatelivekit.iodocumentation; the bundled CLI unconditionally POSTs node version, platform, and architecture telemetry tohttps://livekit-agents.xyz/api/metricswith no documentation or opt-outlivekit-agents(npm) ships an undocumentedpostinstallscript entry inpackage.jsonfor which no script body is currently included in the tarball — the OSV record explicitly flags this as a "pre-positioned attack vector" for future payload delivery via a republish under the same maintainerskillspector@{0.0.1–0.0.4, 2.3.7–2.3.10}(PyPI) — unauthorized modification of Nvidia's officialskillspectorproject that exfiltrates the full argv of every CLI invocation, plus host IP address and username, tohttps://livekit-agents.xyz/skillspector-telemetry— disguised as "opt-in, anonymous usage reporting" in the bundled README, contradicting the actual unconditional behavior- The shared
livekit-agents.xyzexfiltration domain (Nvidia's legitimate project lives atlivekit.io/agents.livekit.io; "skillspector" is a separate Nvidia tool) ties both packages to one operator running a coordinated cross-ecosystem typosquat — anyone exposed to one is likely also a target for the other
What to do
- 1Remove every reference to the unscoped
livekit-agents(npm) andskillspector(PyPI) frompackage.json/requirements.txt/ lockfiles / CI image layers - 2Use the legitimate LiveKit SDKs — under the
@livekit/*scope on npm (e.g.@livekit/agents,@livekit/rtc-node) and from the officiallivekit.iodistribution channels for non-npm clients; verify the maintainer is thelivekitorg - 3For exposed Nvidia tooling, install
skillspectoronly from the verified upstream Nvidia distribution and pin to a known-good release; do not install from PyPI without verifying the publisher - 4Block
livekit-agents.xyzat egress — both the/api/metricsand/skillspector-telemetrypaths beacon to the same lookalike host; hunt firewall and DNS logs for outbound HTTPS to this domain since 2026-06-27 - 5Treat any host that installed either package as having leaked host telemetry and CLI history to the operator; rotate shell-history-resident secrets and review for opportunistic follow-on activity, especially given the npm package has an unfilled
postinstallslot ready for a future malicious republish