I've never run into something like this and I don't quite know what to make of it. I'm the author and maintainer of libgpiod. The official git repository is the one at kernel.org[1]. There's also a github mirror[2] as well as a documentation page[3] at readthedocs that I maintain.
I noticed (purely by chance) that there's a new website at libgpiod.com that's been created recently. I have nothing to do with it. It's clearly AI-generated but it redirects to my github. It's a 2 month old domain, anonymized registrar, protected by Cloudflare and NeoProtect and a Swedish host behind that.
Clearly someone went to a great length to stay anonymous. I'm afraid of falling victim to some new elaborate supply chain attack. What should I do about it (if anything)? Has anyone else experienced something similar?
[1] https://git.kernel.org/pub/scm/libs/libgpiod/libgpiod.git/
[2] https://github.com/brgl/libgpiod
[3] https://libgpiod.readthedocs.io/
@brgl Interesting. Just looked at the other sites they apparently registered and they all do the same thing: say on the bottom they aren't affiliated with the official package and that they only link to documentation. All the ones I checked go to the developer's GitHub profile. Could be someone trying to be well-meaning here with an overnight AI project, but I think it's important to point out everything about these sites could change on a dime.
@brgl I'm reasonably certain that the people who've developed these sites are in India. A couple of them appear to have compromised their systems with credential stealing malware recently. But I don't see anything remotely malicious or phishy in their saved credentials or visited sites. If they were in the habit of doing bad things online, it would almost certainly be evident in their keylog data. However, they appear to be creating a large number of unrelated sites that basically just use SEO to get people to click on their affiliate links and buy stuff at Amazon, etc.
@brgl I did a passive DNS lookup on one of the host IPs for these domains, which are in basically two groups of time (2024-5 and 2026). But they all share a few qualities, including name server records at middlehosted.com:
108.181.247.108
rrname
_dc-mx.f60fb856bfda.osmnx.com
_dc-mx.b5ce1a126c7a.dinov2.com
_dc-mx.7adfbb8745a5.fsspec.com
_dc-mx.0e13b143350f.gseapy.com
_dc-mx.c6c56ec9210f.kivymd.com
_dc-mx.45b83b48adea.pynput.com
_dc-mx.068c61ca79d8.pyodbc.com
_dc-mx.d7fb3628e222.pypdf2.com
_dc-mx.d21ba05b8588.pysftp.com
_dc-mx.aeaab2e746b1.bowtie2.com
_dc-mx.c9ba3f8379cd.ddtrace.com
_dc-mx.a6258de5455a.docxtpl.com
_dc-mx.146e00e48478.elltube.com
_dc-mx.0c39c9f8f0ee.hdbscan.com
_dc-mx.3353ef162267.multrin.com
_dc-mx.de0943ca2691.pymongo.com
aioredis.com
_dc-mx.fbc668446112.aioredis.com
_dc-mx.9ea0beef5e4f.certutil.com
_dc-mx.c273429a2750.chemprop.com
cutadapt.com
_dc-mx.497eb2a8d293.dateutil.com
_dc-mx.f0f8755e9e35.gpiozero.com
_dc-mx.bdaab5a45463.hmmlearn.com
_dc-mx.ecd016286fd0.libgpiod.com
_dc-mx.88bc25810b8a.autogluon.com
_dc-mx.b2bb3cf06aba.bevformer.com
_dc-mx.352fcf2cb67f.ipykernel.com
_dc-mx.ab3782236e1f.nbconvert.com
_dc-mx.578a7752c5e7.pytorch3d.com
_dc-mx.c811adc671e3.pywinauto.com
born2gamer.com
cpanel.born2gamer.com
webdisk.born2gamer.com
webmail.born2gamer.com
cpcalendars.born2gamer.com
_dc-mx.74d423c8d6f0.commitlint.com
_dc-mx.f417b6bbec48.ipywidgets.com
_dc-mx.d42d69f39f8a.weasyprint.com
_dc-mx.4ad93e3ec257.xlsxwriter.com
_dc-mx.024265d17206.apscheduler.com
paidcracked.com
cpanel.paidcracked.com
webdisk.paidcracked.com
webmail.paidcracked.com
cpcontacts.paidcracked.com
cpcalendars.paidcracked.com
leshazlewood.com
paidcracked.org.leshazlewood.com
www.paidcracked.org.leshazlewood.com
cpanel.leshazlewood.com
webdisk.leshazlewood.com
webmail.leshazlewood.com
jonitame.leshazlewood.com
www.jonitame.leshazlewood.com
born2gamer.leshazlewood.com
www.born2gamer.leshazlewood.com
cpcontacts.leshazlewood.com
cpcalendars.leshazlewood.com
paidcracked.leshazlewood.com
www.paidcracked.leshazlewood.com
_dc-mx.c3bb03d3e822.wfdownloader.com
_dc-mx.58ec27e99864.xgbclassifier.com
_dc-mx.180c3a6d37a6.clusterprofiler.com
virtualenvwrapper.com
jonitame.net
webmail.jonitame.net
ai3826.myfoscam.org
paidcracked.org
@briankrebs @brgl It looks like paidcracked[.]org might be doing some sketchy SEO stuff, they might be preparing to monetize search results for popular packages, but yeah, wouldn't rule out future malware campaigns. Sketchy all around.
@briankrebs @brgl dude just did an adhoc threat hunt and analysis like nbd and i demand to know this workflow, krebs 😆
@brgl multiple popular open source projects (e.g. vlc, gimp) had the problem that other people were SEOing domains with their name providing downloads of the software bundled with crapware installers. Might be preparation for something similar.
Best thing to do is making sure you make it easy to find your software and the legit downloads. If the software is popular enough, a dedicated webpage with a domain name matching the software (which is, e.g., what vlc does not have) may be good.
@brgl (note you may want to incaludate the URL to break the SEO)
@SwiftOnSecurity @briankrebs @brgl seems to be down for me..
@briankrebs i really miss the `ip:` search operator that bing used to have. i used that to discover rogue application servers on campus when i worked at a uni. that and complimentary shodan accounts were all we had 😆
@brgl I'd start reporting it as a malware/phishing site to Clownflare, etc.
@briankrebs Definitely not well meaning, the scam copy for my own project has crosslinks to other similar sites + at least one scam link.
@brgl You realize that by mentioning it as a URL you actually tell the bots it's reputable... Maybe GH supports a way to add rel="nofollow noopener noreferrer" ?
A quick check at VirusTotal doesn't reveal any detections, but it is clearly apparent that there's a direct link to the project, via the Meta Tags already presented to VT.
At the very least, head to VT and redo the scan for yourself, and start documenting everything you find from there and elsewhere.
Another quick check at MXToolbox, shows the associated mail server is on a blacklist, tagged as "Rats Dyna".
"RATS-Dyna - Probable PC or home connection infected with a Trojan, Bot, or Emailer Program -- If you are listed in the Spamrats/RATS-Dyna blacklist and you operate your own mail server, you likely have no valid PTR-Record."
One last check - on a _very_ old tool - shows the not-so-anonymous registrar as, epik.com
Well, I doubt it's considered a frontline tool these days, but it still works - well, most of it does - and I'm not one to toss something out because of its age or because its no longer maintained, while it offers a tidy group of some still-useful utilities in one package.
@lumiworx @confuseacat @brgl holy crap. I haven't seen that tool in ages. What's next? Are you going to whip out SATAN? :))))
@briankrebs @confuseacat @brgl
I have a pair of needle-nose pliers that are older than I am that I got from my father, so some things have sentimental value and a few less 'teeth', but have a comfortable and familiar grip.
But, no... no SATAN. lol
@brgl I sent the apparent creator of these sites an email asking for clarification about these open source project websites, and a "Bradley Samuelson" sent me back an auto-response that offered to pimp my links and urls. They don't like to pimp gambling/porn/crypto etc. but they will if you pay them double.
Bradley Samuelson
1:10 AM (6 hours ago)
to me
Hello Dear,
I hope you’re doing well!
We’re currently offering guest post opportunities on geniusupdates.com at the following rates:
$40 for general posts
$60 for casino-related posts
Link insertions are available at the same pricing
We’d be happy to publish your content on our websites. Your article will be featured on the homepage as well as in the relevant category, and you’re welcome to include links, videos, and infographics to enhance its value.
Please note that we generally do not accept links related to gambling, loans, casino, pharma, vape, adult, or money transfer niches. However, in some cases, exceptions can be made at a special cost.
You can explore our full list of websites and pricing here:
https://docs.google.com/spreadsheets/d/1EA25jyBGxZYLJ_r-gQRzzSGIG7Kj8GaJz__5yD0rncI/edit?usp=sharing
Here’s what I can offer you:
Publishing your unique articles with permanent dofollow links
Professional article writing at a reasonable cost
Complete package: writing + publishing
PS: Most articles and link insertions are completed within 0–24 hours, and they are not labeled as sponsored.
Looking forward to building a long-term collaboration with you!
Thank you
🙂
--
GUIDELINES FOR GUEST POST
Content or link should not be related to gambling/adult/dating/vaping/cbd/cannabis (if related charges will be double)
Content length min 800 words
