This is the first time I'm posting anything here but I figured this may be the right audience.

I've never run into something like this and I don't quite know what to make of it. I'm the author and maintainer of libgpiod. The official git repository is the one at kernel.org[1]. There's also a github mirror[2] as well as a documentation page[3] at readthedocs that I maintain.

I noticed (purely by chance) that there's a new website at libgpiod.com that's been created recently. I have nothing to do with it. It's clearly AI-generated but it redirects to my github. It's a 2 month old domain, anonymized registrar, protected by Cloudflare and NeoProtect and a Swedish host behind that.

Clearly someone went to a great length to stay anonymous. I'm afraid of falling victim to some new elaborate supply chain attack. What should I do about it (if anything)? Has anyone else experienced something similar?

[1] git.kernel.org/pub/scm/libs/li…
[2] github.com/brgl/libgpiod
[3] libgpiod.readthedocs.io/

reshared this

in reply to Bartosz Golaszewski

Interesting. Just looked at the other sites they apparently registered and they all do the same thing: say on the bottom they aren't affiliated with the official package and that they only link to documentation. All the ones I checked go to the developer's GitHub profile. Could be someone trying to be well-meaning here with an overnight AI project, but I think it's important to point out everything about these sites could change on a dime.
in reply to Bartosz Golaszewski

I'm reasonably certain that the people who've developed these sites are in India. A couple of them appear to have compromised their systems with credential stealing malware recently. But I don't see anything remotely malicious or phishy in their saved credentials or visited sites. If they were in the habit of doing bad things online, it would almost certainly be evident in their keylog data. However, they appear to be creating a large number of unrelated sites that basically just use SEO to get people to click on their affiliate links and buy stuff at Amazon, etc.
in reply to Bartosz Golaszewski

I did a passive DNS lookup on one of the host IPs for these domains, which are in basically two groups of time (2024-5 and 2026). But they all share a few qualities, including name server records at middlehosted.com:

108.181.247.108

rrname
_dc-mx.f60fb856bfda.osmnx.com
_dc-mx.b5ce1a126c7a.dinov2.com
_dc-mx.7adfbb8745a5.fsspec.com
_dc-mx.0e13b143350f.gseapy.com
_dc-mx.c6c56ec9210f.kivymd.com
_dc-mx.45b83b48adea.pynput.com
_dc-mx.068c61ca79d8.pyodbc.com
_dc-mx.d7fb3628e222.pypdf2.com
_dc-mx.d21ba05b8588.pysftp.com
_dc-mx.aeaab2e746b1.bowtie2.com
_dc-mx.c9ba3f8379cd.ddtrace.com
_dc-mx.a6258de5455a.docxtpl.com
_dc-mx.146e00e48478.elltube.com
_dc-mx.0c39c9f8f0ee.hdbscan.com
_dc-mx.3353ef162267.multrin.com
_dc-mx.de0943ca2691.pymongo.com
aioredis.com
_dc-mx.fbc668446112.aioredis.com
_dc-mx.9ea0beef5e4f.certutil.com
_dc-mx.c273429a2750.chemprop.com
cutadapt.com
_dc-mx.497eb2a8d293.dateutil.com
_dc-mx.f0f8755e9e35.gpiozero.com
_dc-mx.bdaab5a45463.hmmlearn.com
_dc-mx.ecd016286fd0.libgpiod.com
_dc-mx.88bc25810b8a.autogluon.com
_dc-mx.b2bb3cf06aba.bevformer.com
_dc-mx.352fcf2cb67f.ipykernel.com
_dc-mx.ab3782236e1f.nbconvert.com
_dc-mx.578a7752c5e7.pytorch3d.com
_dc-mx.c811adc671e3.pywinauto.com
born2gamer.com
cpanel.born2gamer.com
webdisk.born2gamer.com
webmail.born2gamer.com
cpcalendars.born2gamer.com
_dc-mx.74d423c8d6f0.commitlint.com
_dc-mx.f417b6bbec48.ipywidgets.com
_dc-mx.d42d69f39f8a.weasyprint.com
_dc-mx.4ad93e3ec257.xlsxwriter.com
_dc-mx.024265d17206.apscheduler.com
paidcracked.com
cpanel.paidcracked.com
webdisk.paidcracked.com
webmail.paidcracked.com
cpcontacts.paidcracked.com
cpcalendars.paidcracked.com
leshazlewood.com
paidcracked.org.leshazlewood.com
www.paidcracked.org.leshazlewood.com
cpanel.leshazlewood.com
webdisk.leshazlewood.com
webmail.leshazlewood.com
jonitame.leshazlewood.com
www.jonitame.leshazlewood.com
born2gamer.leshazlewood.com
www.born2gamer.leshazlewood.com
cpcontacts.leshazlewood.com
cpcalendars.leshazlewood.com
paidcracked.leshazlewood.com
www.paidcracked.leshazlewood.com
_dc-mx.c3bb03d3e822.wfdownloader.com
_dc-mx.58ec27e99864.xgbclassifier.com
_dc-mx.180c3a6d37a6.clusterprofiler.com
virtualenvwrapper.com
jonitame.net
webmail.jonitame.net
ai3826.myfoscam.org
paidcracked.org

in reply to Bartosz Golaszewski

This is plain and clean cybersquatting. A common abuse that has worked in the same way for ages. Now they have added AI to the same basic pattern.
There are very few actions you can take, including legal ones.
I seriously doubt any of them works. The simplest thing to do is to warn users on your GitHub pages by indicating the only true source of information, and of course, digitally sign anything. including communications.
in reply to Das Gfrastsackl

@antifuchs My identity is already quite public given that I'm using my real name on my github account. Whoever created libgpiod.com surely must have seen it.
in reply to Bartosz Golaszewski

Something similar happened to a project that I'm loosely involved with in mid-April: huginpanorama.com/. We have no idea whose behind it, and there is no obvious grift (yet).
in reply to Bartosz Golaszewski

multiple popular open source projects (e.g. vlc, gimp) had the problem that other people were SEOing domains with their name providing downloads of the software bundled with crapware installers. Might be preparation for something similar.
Best thing to do is making sure you make it easy to find your software and the legit downloads. If the software is popular enough, a dedicated webpage with a domain name matching the software (which is, e.g., what vlc does not have) may be good.
in reply to Bartosz Golaszewski

The media in this post is not displayed to visitors. To view it, please go to the original post.

A quick check at VirusTotal doesn't reveal any detections, but it is clearly apparent that there's a direct link to the project, via the Meta Tags already presented to VT.

At the very least, head to VT and redo the scan for yourself, and start documenting everything you find from there and elsewhere.

Questa voce è stata modificata (3 settimane fa)
in reply to LumiWorx - Just Vote Dammit!

Another quick check at MXToolbox, shows the associated mail server is on a blacklist, tagged as "Rats Dyna".

"RATS-Dyna - Probable PC or home connection infected with a Trojan, Bot, or Emailer Program -- If you are listed in the Spamrats/RATS-Dyna blacklist and you operate your own mail server, you likely have no valid PTR-Record."

mxtoolbox.com

in reply to Bartosz Golaszewski

The media in this post is not displayed to visitors. To view it, please go to the original post.

I think you can complain about the use of them presenting themselves as “Libgpiod” and you can insist they rephrase that as “the libgpiod.com website”. But also, they do what they don’t want others to do which seems very sketchy too, and depending on your license, violate it.

The real risk is them gaining a foothold via search engines and people believing them to be the owners of the project and then revamp the site with ads or malware. If this was me, I’d contact them and I would request them to cease and handover the domain. Of if you think the site is ok, to let them admin the side bit transfer ownership to you so you can yank it when it becomes malicious

in reply to Bartosz Golaszewski

I'm no security expert and the pros have already chimed in; I'm just here to say that your situation reminds me of thehackernews.com/2026/06/fake…
in reply to Bartosz Golaszewski

I sent the apparent creator of these sites an email asking for clarification about these open source project websites, and a "Bradley Samuelson" sent me back an auto-response that offered to pimp my links and urls. They don't like to pimp gambling/porn/crypto etc. but they will if you pay them double.

Bradley Samuelson
1:10 AM (6 hours ago)
to me

Hello Dear,

I hope you’re doing well!

We’re currently offering guest post opportunities on geniusupdates.com at the following rates:

$40 for general posts

$60 for casino-related posts

Link insertions are available at the same pricing

We’d be happy to publish your content on our websites. Your article will be featured on the homepage as well as in the relevant category, and you’re welcome to include links, videos, and infographics to enhance its value.

Please note that we generally do not accept links related to gambling, loans, casino, pharma, vape, adult, or money transfer niches. However, in some cases, exceptions can be made at a special cost.

You can explore our full list of websites and pricing here:
docs.google.com/spreadsheets/d…

Here’s what I can offer you:

Publishing your unique articles with permanent dofollow links

Professional article writing at a reasonable cost

Complete package: writing + publishing

PS: Most articles and link insertions are completed within 0–24 hours, and they are not labeled as sponsored.

Looking forward to building a long-term collaboration with you!

Thank you

🙂

--
GUIDELINES FOR GUEST POST

Content or link should not be related to gambling/adult/dating/vaping/cbd/cannabis (if related charges will be double)
Content length min 800 words

Questo sito utilizza cookie per riconosce gli utenti loggati e quelli che tornano a visitare. Proseguendo la navigazione su questo sito, accetti l'utilizzo di questi cookie.