tonnydouradoMay 21, 2025
Team KeePassXC
🚨 *Attention!* We were made aware of a fake “KeePassXC Password Manager Pro” repository on GitHub that links to unverified external binary downloads.
- There is NO Pro version of KeePassXC!
- You get all the “Pro” features with the regular version.
Please download KeePassXC only from trusted distribution channels linked on https://keepassxc.org/ !
KeePassXC Password Manager

KeePassXC Password Manager

May 21, 2025 at 6:47amWeb
Show threadTeam KeePassXCMay 21, 2025
FYI: The "Download" link goes through I series of redirects with several obfuscated JavaScript pages in between. I didn't open it in a browser and therefore didn't spend the time to resolve the full chain to the final download, but the fact alone that these obfuscations are there speaks for itself.
Show threadTeam KeePassXCMay 21, 2025
GitHub took down the repository just now. It was up for 19 hours when we reported it. GitHub took action within roughly 2.5 hours, which was rather quick.
Show threadwyatt May 21, 2025
@keepassxc
Was this the only instance of this? I feel like several months ago when i was thinking about using a password manager, I saw that "pro". Could be my brain just making things up and seeing what it wants
Show threadTeam KeePassXCMay 22, 2025
@wyatt We don't know of any other at the moment.
Show threadJason ReedMay 21, 2025
@keepassxc has GitHub taken action on the repository in question?
Show threadTeam KeePassXCMay 21, 2025
@jrsofty Yes, they took it down just now.
Show threadJason ReedMay 21, 2025
@keepassxc thank you and good looking out. 🙏
Show threadLandry MINOZAMay 21, 2025
@keepassxc It could be worse than just "we will make you pay for a free software developped by someone else" maybe…
Do you think it could be related to the same sort of attack than against keepass ?
https://www.bleepingcomputer.com/news/security/fake-keepass-password-manager-leads-to-esxi-ransomware-attack/
Fake KeePass password manager leads to ESXi ransomware attack

Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network.

BleepingComputer
Show threadTeam KeePassXCMay 21, 2025
@lminoza Since there isn't any sort of payment involved, I would assume it's just some sort of malicious fork.
Show threadEmber is so tired of people. May 21, 2025
@lminoza @keepassxc unlikely that it isn't a password stealer tbh
i mean, why else would you make a fake version of a password manager
Show threadHelix May 21, 2025
@keepassxc
How do I know **you** are the original and not just some impostor? 😉
Show threadTeam KeePassXCMay 21, 2025
@helix You caught us. 🙈
Show thread Kura  :kura_explode:May 21, 2025
@keepassxc

No I just started my KeePass xc pro sub. And now you tell me it is fake?
Jk, not doing it. But could imagine this being used at some point.

Though I did "pay" for KeePass xc. Thanks for creating such a wonderful software.
Not using it right now. I wish there was an integrated way to open some form of remote source... Would make me switch back again!
Show threadJake HowardMay 21, 2025
@keepassxc imitation is the sincerest form of flattery!
Show threadJesus CatBoi May 21, 2025
@keepassxc soooooo many emojis if this ain't sus i dunno what is these days
Show threadZot NobotMay 21, 2025
@peakfriktion @keepassxc Probably AI generated pages. They love adding emojis for everything.
Show threadJesus CatBoi May 21, 2025
@zotnobot @keepassxc precisely. can't even look at emojis anymore without susing something nefarious.
Show threadAljoscha Rittner (beandev)May 21, 2025
@keepassxc
Obviously made with ChatGPT.
Show threadJack Linke 🦄May 21, 2025
@keepassxc These scammers always gravitate toward "Military Grade" encryption. No thanks 🤣
Show threadTeam KeePassXCMay 21, 2025
@jack Our old website said "industry-standard" and that is already cringe af, so we removed it with the redesign.
Show threadwatchpocket 🍄🌱May 21, 2025
@keepassxc
When you see the term "military-grade encryption," walk away. It's meaningless. (To put it another way, "military-grade encryption" is not particularly strong or robust encryption.) It means whoever is touting it doesn't know they're talking about.
Show threadTeam KeePassXCMay 21, 2025
@watchpocket Military Grade Encryption is just a dumb marketing term that indicates the encryption algorithm could be FIPS 140 certified (ie, approved for use in military applications).
Show threadCameron BoschMay 21, 2025
@keepassxc If they're using your trademark, can't you guys send a C&D to tell them to stop?
Show threadzopieuxMay 21, 2025

@keepassxc
Yet another awesome use for AI, scammy repackages of popular open-source projects. Can generate hundreds of repositories with slightly different, legit looking READMEs, linking to malware or payment pages.

I wonder at what point will GitHub get tired of playing the cat and mouse game and stop taking action on the AI slop we'll painstakingly be reporting.

Show threadJigme DatseMay 21, 2025
@keepassxc Assholes... I would recommend (though not entirely rely on) using your package management that you can trust. Distribution, whatever. Not that installing from spaces like GitHub is a bad thing, it is just so easy for something like this to show up in such spaces.
Show threadYonleMay 22, 2025
@keepassxc my brother in ra, You're now famous. Congratulations
Show threadEric ZhangMay 22, 2025
@keepassxc KeePassXC Gold and KeePassXC Ultimate when
Show threadTeam KeePassXCMay 22, 2025
@eric KeePassXC Plus subscription with ten new monthly passwords.
Show threadjan Ki | 奇  Nov 13
@keepassxc
and that "regular" version is ruined by LLM bullshit