Feed
HighPublished 27 Jun 20262 packages · 12 versions

`livekit-agents` (npm) + `skillspector` (PyPI) — coordinated multi-ecosystem typosquat exfiltrating to `livekit-agents.xyz`

Summary

Between 2026-06-27 and 2026-06-28 a single operator published a coordinated multi-ecosystem typosquat campaign exfiltrating to the lookalike domain livekit-agents.xyz. Unscoped livekit-agents on npm (10 versions, four of them flagged malicious) impersonates the LiveKit Agents SDK while beaconing host telemetry. The PyPI package skillspector (8 versions) — an unauthorized fork of a legitimate Nvidia project — exfiltrates every CLI argument to https://livekit-agents.xyz/skillspector-telemetry. The shared lookalike domain ties both packages to the same operator.

typosquatinfostealercredential-theft
Detected by
Amazon Inspector · OpenSSF Package Analysis · Kamil Mańkowski (kam193)
Also known as
livekit-agents.xyz typosquat campaign
Ecosystems
npmPyPI
Packages tracked
2

What happened

Between 2026-06-27 19:26 UTC and 2026-06-28 22:19 UTC, the npm account yontrump123 (yontrump123@gmail.com) published 10 versions of the unscoped npm package livekit-agents0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.4, and 0.3.5. Amazon Inspector and OpenSSF Package Analysis flagged versions 0.3.0, 0.3.1, 0.3.2, and 0.3.4 as malicious (MAL-2026-6555); the earlier 0.1.x / 0.2.x releases are empty namespace squats positioning the operator to publish under the visible name.

livekit-agents (npm) — telemetry beacon and pre-positioned postinstall

The published versions falsely advertise the package as "the official LiveKit Agents SDK" and link out to legitimate livekit.io documentation, but the actual implementation is a stub. The bundled CLI unconditionally fetch-es https://livekit-agents.xyz/api/metrics with node version, platform, and architecture as a JSON payload — with no documentation of the call and no opt-out flag. The package.json additionally declares a postinstall script slot, but the script file is currently absent from the tarball. The OSV record flags this absent-script declaration as a "pre-positioned attack vector" — a republish under the same maintainer can drop a malicious payload into the postinstall slot without changing the consumer-visible package.json contract, hitting every existing ^0.3.x consumer on the next npm install.

skillspector (PyPI) — Nvidia project forked into a CLI-argv exfiltrator

A second package under the same operator profile — skillspector on PyPI, across 0.0.1, 0.0.2, 0.0.3, 0.0.4, 2.3.7, 2.3.8, 2.3.9, 2.3.10 — is an unauthorized fork of Nvidia's official skillspector project. The original README's "opt-in, anonymous usage reporting" line is preserved verbatim in the malicious fork, but the bundled code unconditionally captures the full sys.argv of every CLI invocation, along with host IP address and username, and POSTs the payload to https://livekit-agents.xyz/skillspector-telemetry. Because argv is captured on every invocation, command-line tokens (database URLs, model paths, API keys passed via --key=...) leak to the operator each time a CLI subcommand runs. CIRCL identifier MAL-2026-6561.

Shared infrastructure ties the campaign together

The lookalike domain livekit-agents.xyz is the linchpin. LiveKit's legitimate infrastructure lives at livekit.io / agents.livekit.io; Nvidia's skillspector is a separate project; there is no plausible reason for an Nvidia AI-skills tool to telemetry-report to a LiveKit-themed third-party lookalike. The shared host across two distinct package ecosystems — npm and PyPI — under two different maintainer profiles, identified within a 24-hour window, indicates a coordinated cross-ecosystem typosquat operation rather than two independent attacks. Anyone exposed to one package should treat the other as a likely follow-on target on the same host.

Disclosure timeline

  • 2026-06-27 19:26–21:28 UTClivekit-agents@{0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2} published on npm by yontrump123.
  • 2026-06-28 20:49–22:19 UTClivekit-agents@{0.3.4, 0.3.5} published.
  • 2026-06-28 — Amazon Inspector flags livekit-agents@{0.3.0,0.3.1,0.3.2,0.3.4}; OSSF publishes MAL-2026-6555.
  • 2026-06-28 — OSSF publishes MAL-2026-6561 for skillspector (PyPI), reported by Kamil Mańkowski (kam193); evidence on VirusTotal.

Affected packages (2)

  • npmlivekit-agents
    0.3.00.3.10.3.20.3.4
  • PyPIskillspector
    0.0.10.0.20.0.30.0.42.3.72.3.82.3.92.3.10

Impact

  • livekit-agents@{0.3.0,0.3.1,0.3.2,0.3.4} (npm) — falsely advertises itself as "the official LiveKit Agents SDK" while linking to legitimate livekit.io documentation; the bundled CLI unconditionally POSTs node version, platform, and architecture telemetry to https://livekit-agents.xyz/api/metrics with no documentation or opt-out
  • livekit-agents (npm) ships an undocumented postinstall script entry in package.json for which no script body is currently included in the tarball — the OSV record explicitly flags this as a "pre-positioned attack vector" for future payload delivery via a republish under the same maintainer
  • skillspector@{0.0.1–0.0.4, 2.3.7–2.3.10} (PyPI) — unauthorized modification of Nvidia's official skillspector project that exfiltrates the full argv of every CLI invocation, plus host IP address and username, to https://livekit-agents.xyz/skillspector-telemetry — disguised as "opt-in, anonymous usage reporting" in the bundled README, contradicting the actual unconditional behavior
  • The shared livekit-agents.xyz exfiltration domain (Nvidia's legitimate project lives at livekit.io / agents.livekit.io; "skillspector" is a separate Nvidia tool) ties both packages to one operator running a coordinated cross-ecosystem typosquat — anyone exposed to one is likely also a target for the other

What to do

  1. 1Remove every reference to the unscoped livekit-agents (npm) and skillspector (PyPI) from package.json / requirements.txt / lockfiles / CI image layers
  2. 2Use the legitimate LiveKit SDKs — under the @livekit/* scope on npm (e.g. @livekit/agents, @livekit/rtc-node) and from the official livekit.io distribution channels for non-npm clients; verify the maintainer is the livekit org
  3. 3For exposed Nvidia tooling, install skillspector only from the verified upstream Nvidia distribution and pin to a known-good release; do not install from PyPI without verifying the publisher
  4. 4Block livekit-agents.xyz at egress — both the /api/metrics and /skillspector-telemetry paths beacon to the same lookalike host; hunt firewall and DNS logs for outbound HTTPS to this domain since 2026-06-27
  5. 5Treat any host that installed either package as having leaked host telemetry and CLI history to the operator; rotate shell-history-resident secrets and review for opportunistic follow-on activity, especially given the npm package has an unfilled postinstall slot ready for a future malicious republish

References

multi-2026-06-27-livekit-agents-skillspector-typosquat