This is the first time I'm posting anything here but I figured this may be the right audience.

I've never run into something like this and I don't quite know what to make of it. I'm the author and maintainer of libgpiod. The official git repository is the one at kernel.org[1]. There's also a github mirror[2] as well as a documentation page[3] at readthedocs that I maintain.

I noticed (purely by chance) that there's a new website at libgpiod.com that's been created recently. I have nothing to do with it. It's clearly AI-generated but it redirects to my github. It's a 2 month old domain, anonymized registrar, protected by Cloudflare and NeoProtect and a Swedish host behind that.

Clearly someone went to great lengths to stay anonymous. I'm afraid of falling victim to some new elaborate supply chain attack. What should I do about it (if anything)? Has anyone else experienced something similar?

[1] https://git.kernel.org/pub/scm/libs/libgpiod/libgpiod.git/
[2] https://github.com/brgl/libgpiod
[3] https://libgpiod.readthedocs.io/

@brgl I don't think advertisements on a website for such specific purpose SW would pay the cost of domain, so more likely this prepares for spreading malware and future supply chain attack.

Unless I underestimated popularity of libgpiod :)

@brgl There is a contact form which sends a POST request to the domain. This smells really bad.

@brgl I'd start reporting it as a malware/phishing site to Clownflare, etc.

@brgl add a notice to your readme and documentation indicating that the domain is not related to you. Maybe ask other projects who got in similar situations (I think Kicad did a few years ago?)

@brgl

It's a phishing/impersonation site. In future, it could change to serve malware or a trojaned version of the repository, after enough people are using that domain to get to your project (because of search / "AI" / etc).

Report it for impersonation, get it taken down.

@brgl

Make your claim to EPIK / anonymize -
abuse@epik.com + abuse@anonymize.com

But according to https://en.wikipedia.org/wiki/Epik I doubt they're reacting in any way.

Also make your claim to cloudflare.com:
https://abuse.cloudflare.com/

@brgl I have no clue, but I'd recommend to add a disclaimer to the Readme that there is no official website for libgpiod.
That should be the least you can do?

Maybe at social.sfconservancy.org/conse… have some suggestion. Have you try to reach for them?

@brgl register libgpiod as a trademark before they do, so you can file an intellectual property claim to get the hands on the domain

@brgl
In addition to Cloudflare like people have mentioned, you can report it to Google as a phishing site: https://safebrowsing.google.com/safebrowsing/report_phish/

Mozilla also uses Google safe browsing so they don't have a report page, as far as I could tell.

@brgl

maybe some experts have some advice (here's the few I know of) @briankrebs @SecurityWriter @InfoSecGreyBrd
@SwiftOnSecurity

@Retreival9096 @brgl @briankrebs @SecurityWriter @InfoSecGreyBrd @SwiftOnSecurity

hey folks

cluster of 40 domains registered the same day all sharing mailserver IP (CSV file at link) https://drive.proton.me/urls/GP3T0K24HM#HUGFplWmntoo

@Retreival9096 @brgl @briankrebs @SecurityWriter @InfoSecGreyBrd @SwiftOnSecurity looks related to a clickjacking / traffic diversion campaign noted here, same disclaimer appears at the bottom of some of the sites in the fullstory[.]com 2025 article

@brgl an online pal had a similar issue (other domain mirroring their website); cloudflare abuse shut the impostor down. A report might work, but might also try to protect your identity when you report due to cf’s history of poor abuse handling…

@neurovagrant @Retreival9096 @brgl @briankrebs @SecurityWriter @SwiftOnSecurity

You beat me to the reply, but that is exactly what I was thinking. It could be a kindly fan, but click jacking seems far more likely.

I would contact your local CIRC or Cloudflare to notify them. Feel free to DM me if you need any help

Thanks for the tag @neurovagrant

@brgl Interesting. Just looked at the other sites they apparently registered and they all do the same thing: say on the bottom they aren't affiliated with the official package and that they only link to documentation. All the ones I checked go to the developer's GitHub profile. Could be someone trying to be well-meaning here with an overnight AI project, but I think it's important to point out everything about these sites could change on a dime.

@neurovagrant @Retreival9096 @brgl @briankrebs @SecurityWriter @SwiftOnSecurity

And also thanks to @Retreival9096 for thinking to tag me in the first place. 🙂

@krzk @brgl

> Unless I underestimated popularity of libgpiod :)

libgpiod is wildly popular with me but I'm not sure that counts for much. ;) [1]

I hope they can sort this out before libgpiod is compromised if it is, in fact, a target.

[1] https://github.com/HankB/GPIOD_Debian_Raspberry_Pi

@brgl I'm reasonably certain that the people who've developed these sites are in India. A couple of them appear to have compromised their systems with credential stealing malware recently. But I don't see anything remotely malicious or phishy in their saved credentials or visited sites. If they were in the habit of doing bad things online, it would almost certainly be evident in their keylog data. However, they appear to be creating a large number of unrelated sites that basically just use SEO to get people to click on their affiliate links and buy stuff at Amazon, etc.

@brgl I did a passive DNS lookup on one of the host IPs for these domains, which are in basically two groups of time (2024-5 and 2026). But they all share a few qualities, including name server records at middlehosted.com:

108.181.247.108

rrname
_dc-mx.f60fb856bfda.osmnx.com
_dc-mx.b5ce1a126c7a.dinov2.com
_dc-mx.7adfbb8745a5.fsspec.com
_dc-mx.0e13b143350f.gseapy.com
_dc-mx.c6c56ec9210f.kivymd.com
_dc-mx.45b83b48adea.pynput.com
_dc-mx.068c61ca79d8.pyodbc.com
_dc-mx.d7fb3628e222.pypdf2.com
_dc-mx.d21ba05b8588.pysftp.com
_dc-mx.aeaab2e746b1.bowtie2.com
_dc-mx.c9ba3f8379cd.ddtrace.com
_dc-mx.a6258de5455a.docxtpl.com
_dc-mx.146e00e48478.elltube.com
_dc-mx.0c39c9f8f0ee.hdbscan.com
_dc-mx.3353ef162267.multrin.com
_dc-mx.de0943ca2691.pymongo.com
aioredis.com
_dc-mx.fbc668446112.aioredis.com
_dc-mx.9ea0beef5e4f.certutil.com
_dc-mx.c273429a2750.chemprop.com
cutadapt.com
_dc-mx.497eb2a8d293.dateutil.com
_dc-mx.f0f8755e9e35.gpiozero.com
_dc-mx.bdaab5a45463.hmmlearn.com
_dc-mx.ecd016286fd0.libgpiod.com
_dc-mx.88bc25810b8a.autogluon.com
_dc-mx.b2bb3cf06aba.bevformer.com
_dc-mx.352fcf2cb67f.ipykernel.com
_dc-mx.ab3782236e1f.nbconvert.com
_dc-mx.578a7752c5e7.pytorch3d.com
_dc-mx.c811adc671e3.pywinauto.com
born2gamer.com
cpanel.born2gamer.com
webdisk.born2gamer.com
webmail.born2gamer.com
cpcalendars.born2gamer.com
_dc-mx.74d423c8d6f0.commitlint.com
_dc-mx.f417b6bbec48.ipywidgets.com
_dc-mx.d42d69f39f8a.weasyprint.com
_dc-mx.4ad93e3ec257.xlsxwriter.com
_dc-mx.024265d17206.apscheduler.com
paidcracked.com
cpanel.paidcracked.com
webdisk.paidcracked.com
webmail.paidcracked.com
cpcontacts.paidcracked.com
cpcalendars.paidcracked.com
leshazlewood.com
paidcracked.org.leshazlewood.com
www.paidcracked.org.leshazlewood.com
cpanel.leshazlewood.com
webdisk.leshazlewood.com
webmail.leshazlewood.com
jonitame.leshazlewood.com
www.jonitame.leshazlewood.com
born2gamer.leshazlewood.com
www.born2gamer.leshazlewood.com
cpcontacts.leshazlewood.com
cpcalendars.leshazlewood.com
paidcracked.leshazlewood.com
www.paidcracked.leshazlewood.com
_dc-mx.c3bb03d3e822.wfdownloader.com
_dc-mx.58ec27e99864.xgbclassifier.com
_dc-mx.180c3a6d37a6.clusterprofiler.com
virtualenvwrapper.com
jonitame.net
webmail.jonitame.net
ai3826.myfoscam.org
paidcracked.org

@briankrebs @brgl It looks like paidcracked[.]org might be doing some sketchy SEO stuff, they might be preparing to monetize search results for popular packages, but yeah, wouldn't rule out future malware campaigns. Sketchy all around.

@tobozo
> register libgpiod as a trademark

This neds some €300 to even start the process (Madrid Protocol). Then some 300/yr . Then in a case of infringement some tens of thousands in legal representation fees. Otherwise the trademark is practically void.

@brgl

@brgl Something similar happened to a project that I'm loosely involved with in mid-April: https://huginpanorama.com/. We have no idea whose behind it, and there is no obvious grift (yet).

@briankrebs @brgl dude just did an adhoc threat hunt and analysis like nbd and i demand to know this workflow, krebs 😆

@brgl This has been happening to other open source projects (I recall seeing a drive-by warning on a GitHub for a project whose name I can't remember).

It's very clearly setting up typosquatting for later nefarious purposes.

@brgl multiple popular open source projects (e.g. vlc, gimp) had the problem that other people were SEOing domains with their name providing downloads of the software bundled with crapware installers. Might be preparation for something similar.
Best thing to do is making sure you make it easy to find your software and the legit downloads. If the software is popular enough, a dedicated webpage with a domain name matching the software (which is, e.g., what vlc does not have) may be good.

@brgl can you unlock ut so i can quote post

@briankrebs @brgl thanks for taking a look Brian.

@brgl (note you may want to incaludate the URL to break the SEO)

@brgl

A quick check at VirusTotal doesn't reveal any detections, but it is clearly apparent that there's a direct link to the project, via the Meta Tags already presented to VT.

At the very least, head to VT and redo the scan for yourself, and start documenting everything you find from there and elsewhere.

@brgl It is quite interesting that the people who want individuals to verify their identity/age are the same ones who want (certain) website owners to remain anonymous and unaccountable.

@brgl

Another quick check at MXToolbox, shows the associated mail server is on a blacklist, tagged as "Rats Dyna".

"RATS-Dyna - Probable PC or home connection infected with a Trojan, Bot, or Emailer Program -- If you are listed in the Spamrats/RATS-Dyna blacklist and you operate your own mail server, you likely have no valid PTR-Record."

https://mxtoolbox.com

@brgl
As it's part of/close to the Linux kernel, I wonder if there's free (to you) legal help you could get from the Linux Kernel Organization or the Linux Foundation or someone like that

@SwiftOnSecurity @briankrebs @brgl seems to be down for me..

@brgl

One last check - on a _very_ old tool - shows the not-so-anonymous registrar as, epik.com

@knapjack @brgl yeah that's the domain and email that I pivoted off of for the keylog stuff.

@brgl this smells like a rugpull to me. Get it established as reputable, then change instructions to point to malice at some future point.

But I’m also incredibly paranoid, so ::shrug::

@brgl I think you can complain about the use of them presenting themselves as “Libgpiod” and you can insist they rephrase that as “the libgpiod.com website”. But also, they do what they don’t want others to do which seems very sketchy too, and depending on your license, violate it.

The real risk is them gaining a foothold via search engines and people believing them to be the owners of the project and then revamp the site with ads or malware. If this was me, I’d contact them and I would request them to cease and handover the domain. Of if you think the site is ok, to let them admin the side bit transfer ownership to you so you can yank it when it becomes malicious

@brgl also this is why we own libreswan dot org/net/com/ca/fi/eu 😕

@dalias @brgl Also one that can be done instead of that horrible registrar (Epik) is reporting it to VeriSign the operator of the .com TLD.

@lanodan @dalias @brgl wait epik still exists??

@lanodan @dalias @brgl i didn't realize they survived when the 420chan guy pwned them

@dalias @brgl See https://www.verisign.com/news-insights/dns-abuse/

@xyhhx @dalias @brgl pwns are pretty much just theater/scene, after all Comodo is still a CA, CrowdStrike is still a thing, …

@lanodan @dalias @brgl pain

@brgl yeah a few days ago i noticed talosctl dot com and assumed it was at best some SEO milking, at worse a dormant supply chain attack

@lumiworx @brgl oh, wow. Spade! Is that still a thing or have you simply kept it around?

@Doomed_Daniel
Maybe also ask them to change libgpiod's kernel.org page: so that https connections with referal from libgpiod.com are greeted on kernel.org with a clear warning?
@brgl

@ohir yup that's how paint.net domain was recently recovered.

being a target is expensive :(

@brgl

@brgl I have the same issue with my own project (Catch2) -> catch2.org is AI generated copy of docs with some added scam links.

I tried reporting this to the registrar as scam and they are playing possum with no response.

@brgl The author of gluetun is having the same kind of problem.

https://github.com/passteque/gluetun

@brgl
This is plain and clean cybersquatting. A common abuse that has worked in the same way for ages. Now they have added AI to the same basic pattern.
There are very few actions you can take, including legal ones.
I seriously doubt any of them works. The simplest thing to do is to warn users on your GitHub pages by indicating the only true source of information, and of course, digitally sign anything. including communications.

@gisgeek Yeah, I always sign the release tags with my gpg key. I can't do anything about someone not getting the code from kernel.org.

@dalias I just sent a report, let's see if they respond

@tobozo I don't make any money off this, I don't quite feel like dropping a couple hundred euros on a trademark for an obscure open-source project for embedded linux TBH :(

@antifuchs My identity is already quite public given that I'm using my real name on my github account. Whoever created libgpiod.com surely must have seen it.

@confuseacat @brgl

Well, I doubt it's considered a frontline tool these days, but it still works - well, most of it does - and I'm not one to toss something out because of its age or because its no longer maintained, while it offers a tidy group of some still-useful utilities in one package.

@briankrebs Thanks for looking into it! I'll just send out abuse reports wherever I can for now.

@SwiftOnSecurity What does it mean to unlock ut? I'm new on mastodon? :)

@horenmar ah, that's what I was afraid of :(

@brgl You realize that by mentioning it as a URL you actually tell the bots it's reputable... Maybe GH supports a way to add rel="nofollow noopener noreferrer" ?

@brgl I'm no security expert and the pros have already chimed in; I'm just here to say that your situation reminds me of https://thehackernews.com/2026/06/fake-sites-mimicking-open-source-tools.html

@brgl maybe the linux foundation can foster it for you?

RaspberryPi could get involved too since they're probably the ones getting the most benefits from the library.

@purpleidea I did not realize, I'm not very well versed in web development. I changed my github description now, thanks.

@emory @brgl Heh. Just lots of practice, I guess. Also access to a lot of different threat hunting platforms, so...

@lumiworx @confuseacat @brgl holy crap. I haven't seen that tool in ages. What's next? Are you going to whip out SATAN? :))))

@brgl yup. Long as you are aware that they might forward your report and personal details to the abuser.