This is the first time I'm posting anything here but I figured this may be the right audience.
I've never run into something like this and I don't quite know what to make of it. I'm the author and maintainer of libgpiod. The official git repository is the one at kernel.org[1]. There's also a github mirror[2] as well as a documentation page[3] at readthedocs that I maintain.
I noticed (purely by chance) that there's a new website at libgpiod.com that's been created recently. I have nothing to do with it. It's clearly AI-generated but it redirects to my github. It's a 2 month old domain, anonymized registrar, protected by Cloudflare and NeoProtect and a Swedish host behind that.
Clearly someone went to a great length to stay anonymous. I'm afraid of falling victim to some new elaborate supply chain attack. What should I do about it (if anything)? Has anyone else experienced something similar?
[1] git.kernel.org/pub/scm/libs/li…
[2] github.com/brgl/libgpiod
[3] libgpiod.readthedocs.io/
Libgpiod - Modern C Library for Linux GPIO Hardware Control
Libgpiod is a modern C library for Linux GPIO control, enabling efficient hardware access for embedded and system developers. #LibgpiodLibgpiod
reshared this
Diego Roversi
in reply to Bartosz Golaszewski • •Jaroslav "Řezza" Řezník likes this.
BrianKrebs
in reply to Bartosz Golaszewski • • •SwiftOnSecurity
in reply to BrianKrebs • • •Xarn
in reply to BrianKrebs • • •BrianKrebs
in reply to Bartosz Golaszewski • • •Emory
in reply to BrianKrebs • • •BrianKrebs
in reply to Emory • • •Bartosz Golaszewski
in reply to BrianKrebs • • •BrianKrebs
in reply to Bartosz Golaszewski • • •I did a passive DNS lookup on one of the host IPs for these domains, which are in basically two groups of time (2024-5 and 2026). But they all share a few qualities, including name server records at middlehosted.com:
108.181.247.108
rrname
_dc-mx.f60fb856bfda.osmnx.com
_dc-mx.b5ce1a126c7a.dinov2.com
_dc-mx.7adfbb8745a5.fsspec.com
_dc-mx.0e13b143350f.gseapy.com
_dc-mx.c6c56ec9210f.kivymd.com
_dc-mx.45b83b48adea.pynput.com
_dc-mx.068c61ca79d8.pyodbc.com
_dc-mx.d7fb3628e222.pypdf2.com
_dc-mx.d21ba05b8588.pysftp.com
_dc-mx.aeaab2e746b1.bowtie2.com
_dc-mx.c9ba3f8379cd.ddtrace.com
_dc-mx.a6258de5455a.docxtpl.com
_dc-mx.146e00e48478.elltube.com
_dc-mx.0c39c9f8f0ee.hdbscan.com
_dc-mx.3353ef162267.multrin.com
_dc-mx.de0943ca2691.pymongo.com
aioredis.com
_dc-mx.fbc668446112.aioredis.com
_dc-mx.9ea0beef5e4f.certutil.com
_dc-mx.c273429a2750.chemprop.com
cutadapt.com
_dc-mx.497eb2a8d293.dateutil.com
_dc-mx.f0f8755e9e35.gpiozero.com
_dc-mx.bdaab5a45463.hmmlearn.com
_dc-mx.ecd016286fd0.libgpiod.com
_dc-mx.88bc25810b8a.autogluon.com
_dc-mx.b2bb3cf06aba.bevformer.com
_dc-mx.352fcf2cb67f.ipykernel.com
_dc-mx.ab3782236e1f.nbconvert.com
_dc-mx.578a7752c5e7.pytorch3d.com
_dc-mx.c811adc671e3.pywinauto.com
born2gamer.com
cpanel.born2gamer.com
webdisk.born2gamer.com
webmail.born2gamer.com
cpcalendars.born2gamer.com
_dc-mx.74d423c8d6f0.commitlint.com
_dc-mx.f417b6bbec48.ipywidgets.com
_dc-mx.d42d69f39f8a.weasyprint.com
_dc-mx.4ad93e3ec257.xlsxwriter.com
_dc-mx.024265d17206.apscheduler.com
paidcracked.com
cpanel.paidcracked.com
webdisk.paidcracked.com
webmail.paidcracked.com
cpcontacts.paidcracked.com
cpcalendars.paidcracked.com
leshazlewood.com
paidcracked.org.leshazlewood.com
www.paidcracked.org.leshazlewood.com
cpanel.leshazlewood.com
webdisk.leshazlewood.com
webmail.leshazlewood.com
jonitame.leshazlewood.com
www.jonitame.leshazlewood.com
born2gamer.leshazlewood.com
www.born2gamer.leshazlewood.com
cpcontacts.leshazlewood.com
cpcalendars.leshazlewood.com
paidcracked.leshazlewood.com
www.paidcracked.leshazlewood.com
_dc-mx.c3bb03d3e822.wfdownloader.com
_dc-mx.58ec27e99864.xgbclassifier.com
_dc-mx.180c3a6d37a6.clusterprofiler.com
virtualenvwrapper.com
jonitame.net
webmail.jonitame.net
ai3826.myfoscam.org
paidcracked.org
Jack
in reply to BrianKrebs • • •BrianKrebs
in reply to Jack • • •Emory
in reply to BrianKrebs • • •Francesco P Lovergine
in reply to Bartosz Golaszewski • • •There are very few actions you can take, including legal ones.
I seriously doubt any of them works. The simplest thing to do is to warn users on your GitHub pages by indicating the only true source of information, and of course, digitally sign anything. including communications.
Krzysztof Kozlowski
in reply to Bartosz Golaszewski • • •I don't think advertisements on a website for such specific purpose SW would pay the cost of domain, so more likely this prepares for spreading malware and future supply chain attack.
Unless I underestimated popularity of libgpiod :)
9lore
in reply to Bartosz Golaszewski • • •There is a contact form which sends a POST request to the domain. This smells really bad.
Cassandrich
in reply to Bartosz Golaszewski • • •Haelwenn /элвэн/
in reply to Cassandrich • • •.comTLD.Bartosz Golaszewski
in reply to Cassandrich • • •PulkoMandy
in reply to Bartosz Golaszewski • • •C.
in reply to Bartosz Golaszewski • • •It's a phishing/impersonation site. In future, it could change to serve malware or a trojaned version of the repository, after enough people are using that domain to get to your project (because of search / "AI" / etc).
Report it for impersonation, get it taken down.
Juggling Jester
in reply to Bartosz Golaszewski • • •Make your claim to EPIK / anonymize -
abuse@epik.com + abuse@anonymize.com
But according to en.wikipedia.org/wiki/Epik I doubt they're reacting in any way.
Also make your claim to cloudflare.com:
abuse.cloudflare.com/
Epik - Wikipedia
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)Numerfolt
in reply to Bartosz Golaszewski • • •That should be the least you can do?
tobozo
in reply to Bartosz Golaszewski • • •ohir
in reply to tobozo • • •@tobozo
> register libgpiod as a trademark
This neds some €300 to even start the process (Madrid Protocol). Then some 300/yr . Then in a case of infringement some tens of thousands in legal representation fees. Otherwise the trademark is practically void.
@brgl
Bartosz Golaszewski
in reply to tobozo • • •cambria
in reply to Bartosz Golaszewski • • •In addition to Cloudflare like people have mentioned, you can report it to Google as a phishing site: safebrowsing.google.com/safebr…
Mozilla also uses Google safe browsing so they don't have a report page, as far as I could tell.
Report a Page to Google Safe Browsing
safebrowsing.google.comAnalog AI
in reply to Bartosz Golaszewski • • •Sensitive content
@SwiftOnSecurity
Ian Campbell 🏴
in reply to Analog AI • • •@Retreival9096 @briankrebs @SecurityWriter @InfoSecGreyBrd @SwiftOnSecurity
hey folks
cluster of 40 domains registered the same day all sharing mailserver IP (CSV file at link) drive.proton.me/urls/GP3T0K24H…
Proton Drive
drive.proton.meDas Gfrastsackl
in reply to Bartosz Golaszewski • • •Bartosz Golaszewski
in reply to Das Gfrastsackl • • •Libgpiod - Modern C Library for Linux GPIO Hardware Control
Libgpiodlukas wirz
in reply to Bartosz Golaszewski • • •Hugin Panorama | Official Open Source Stitcher for Windows & Mac
Hugin Panoramathedoh 🇨🇦
in reply to Bartosz Golaszewski • • •This has been happening to other open source projects (I recall seeing a drive-by warning on a GitHub for a project whose name I can't remember).
It's very clearly setting up typosquatting for later nefarious purposes.
hanno
in reply to Bartosz Golaszewski • • •Best thing to do is making sure you make it easy to find your software and the legit downloads. If the software is popular enough, a dedicated webpage with a domain name matching the software (which is, e.g., what vlc does not have) may be good.
SwiftOnSecurity
in reply to Bartosz Golaszewski • • •Bartosz Golaszewski
in reply to SwiftOnSecurity • • •SwiftOnSecurity
in reply to Bartosz Golaszewski • • •LumiWorx - Just Vote Dammit!
in reply to Bartosz Golaszewski • • •A quick check at VirusTotal doesn't reveal any detections, but it is clearly apparent that there's a direct link to the project, via the Meta Tags already presented to VT.
At the very least, head to VT and redo the scan for yourself, and start documenting everything you find from there and elsewhere.
LumiWorx - Just Vote Dammit!
in reply to LumiWorx - Just Vote Dammit! • • •Another quick check at MXToolbox, shows the associated mail server is on a blacklist, tagged as "Rats Dyna".
"RATS-Dyna - Probable PC or home connection infected with a Trojan, Bot, or Emailer Program -- If you are listed in the Spamrats/RATS-Dyna blacklist and you operate your own mail server, you likely have no valid PTR-Record."
mxtoolbox.com
MX Lookup Tool - Check your DNS MX Records online - MxToolbox
mxtoolbox.comLumiWorx - Just Vote Dammit!
in reply to LumiWorx - Just Vote Dammit! • • •One last check - on a _very_ old tool - shows the not-so-anonymous registrar as, epik.com
Manni
in reply to LumiWorx - Just Vote Dammit! • • •LumiWorx - Just Vote Dammit!
in reply to Manni • • •Well, I doubt it's considered a frontline tool these days, but it still works - well, most of it does - and I'm not one to toss something out because of its age or because its no longer maintained, while it offers a tidy group of some still-useful utilities in one package.
BrianKrebs
in reply to LumiWorx - Just Vote Dammit! • • •LumiWorx - Just Vote Dammit!
in reply to BrianKrebs • • •@briankrebs @confuseacat
I have a pair of needle-nose pliers that are older than I am that I got from my father, so some things have sentimental value and a few less 'teeth', but have a comfortable and familiar grip.
But, no... no SATAN. lol
John Breen
in reply to Bartosz Golaszewski • • •Daniel Gibson
in reply to Bartosz Golaszewski • • •Xdej
in reply to Daniel Gibson • • •Maybe also ask them to change libgpiod's kernel.org page: so that https connections with referal from libgpiod.com are greeted on kernel.org with a clear warning?
@brgl
Mathaetaes
in reply to Bartosz Golaszewski • • •this smells like a rugpull to me. Get it established as reputable, then change instructions to point to malice at some future point.
But I’m also incredibly paranoid, so ::shrug::
Paul Wouters 🇪🇺🇨🇦
in reply to Bartosz Golaszewski • • •I think you can complain about the use of them presenting themselves as “Libgpiod” and you can insist they rephrase that as “the libgpiod.com website”. But also, they do what they don’t want others to do which seems very sketchy too, and depending on your license, violate it.
The real risk is them gaining a foothold via search engines and people believing them to be the owners of the project and then revamp the site with ads or malware. If this was me, I’d contact them and I would request them to cease and handover the domain. Of if you think the site is ok, to let them admin the side bit transfer ownership to you so you can yank it when it becomes malicious
Paul Wouters 🇪🇺🇨🇦
in reply to Bartosz Golaszewski • • •Jérôme Petazzoni
in reply to Bartosz Golaszewski • • •Xarn
in reply to Bartosz Golaszewski • • •I have the same issue with my own project (Catch2) -> catch2.org is AI generated copy of docs with some added scam links.
I tried reporting this to the registrar as scam and they are playing possum with no response.
Bartosz Golaszewski
in reply to Xarn • • •Merc
in reply to Bartosz Golaszewski • • •The author of gluetun is having the same kind of problem.
github.com/passteque/gluetun
GitHub - passteque/gluetun: VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
GitHubJames Just James
in reply to Bartosz Golaszewski • • •Bartosz Golaszewski
in reply to James Just James • • •Andrea C (he/him)
in reply to Bartosz Golaszewski • • •Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS
The Hacker NewsBrianKrebs
in reply to Bartosz Golaszewski • • •I sent the apparent creator of these sites an email asking for clarification about these open source project websites, and a "Bradley Samuelson" sent me back an auto-response that offered to pimp my links and urls. They don't like to pimp gambling/porn/crypto etc. but they will if you pay them double.
Bradley Samuelson
1:10 AM (6 hours ago)
to me
Hello Dear,
I hope you’re doing well!
We’re currently offering guest post opportunities on geniusupdates.com at the following rates:
$40 for general posts
$60 for casino-related posts
Link insertions are available at the same pricing
We’d be happy to publish your content on our websites. Your article will be featured on the homepage as well as in the relevant category, and you’re welcome to include links, videos, and infographics to enhance its value.
Please note that we generally do not accept links related to gambling, loans, casino, pharma, vape, adult, or money transfer niches. However, in some cases, exceptions can be made at a special cost.
You can explore our full list of websites and pricing here:
docs.google.com/spreadsheets/d…
Here’s what I can offer you:
Publishing your unique articles with permanent dofollow links
Professional article writing at a reasonable cost
Complete package: writing + publishing
PS: Most articles and link insertions are completed within 0–24 hours, and they are not labeled as sponsored.
Looking forward to building a long-term collaboration with you!
Thank you
🙂
--
GUIDELINES FOR GUEST POST
Content or link should not be related to gambling/adult/dating/vaping/cbd/cannabis (if related charges will be double)
Content length min 800 words
edit
docs.google.com