Your Favorite PC Monitoring Tools Were Secretly Spreading Malware — And You Might Have Downloaded It

In a shocking breach that caught the PC enthusiast community off guard, hackers hijacked the official CPUID website and replaced popular tools CPU-Z and HWMonitor with credential-stealing malware. For six critical hours, anyone downloading these trusted utilities got a nasty surprise instead. The attack highlights a disturbing trend: supply chain compromises are becoming the go-to weapon for cybercriminals.

Key Takeaways

• Hackers compromised CPUID's website and redirected downloads of CPU-Z and HWMonitor to malware-laden files for approximately six hours
• The malware specifically targeted browser credentials, attempting to steal saved passwords from Google Chrome
• Windows Defender caught the threat for most users, and CPUID's original signed files were never compromised
• This attack shares infrastructure with a previous FileZilla compromise in March 2026, suggesting a coordinated threat actor
• Supply chain attacks have surged 73% this year, making trusted software downloads increasingly risky

In This Article

• What Exactly Went Down at CPUID
• This Wasn't Your Average Malware — It Was Seriously Sophisticated
• The Same Hackers Hit FileZilla Last Month
• How to Know If You Were Affected (And What to Do About It)
• Supply Chain Attacks Are Becoming an Epidemic
• How to Stay Safe When Even Trusted Downloads Are Risky

What Exactly Went Down at CPUID

If you've ever built a PC or troubleshot hardware issues, you probably know CPU-Z and HWMonitor. These tools from French developer CPUID have been go-to utilities for checking processor specs and monitoring system temperatures for decades. But on April 9-10, 2026, something went terribly wrong.

• Unknown attackers managed to compromise a secondary API on CPUID's website, hijacking the download mechanism for both flagship applications
• Instead of getting the legitimate HWMonitor installer (hwmonitor_1.63.exe), users received a suspicious file named HWiNFO_Monitor_Setup.exe — a clever masquerade using a competitor's branding
• The malicious downloads were hosted on a Cloudflare R2 storage service, making them appear somewhat legitimate to casual observers
• Samuel Demeulemeester, the developer behind these tools, confirmed the breach affected random visitors for about six hours before the team identified and neutralized the threat

This Wasn't Your Average Malware — It Was Seriously Sophisticated

Security researchers at vx-underground took a deep dive into the malicious payload, and what they found was impressively nasty. This wasn't some script kiddie's weekend project.

• The malware operated almost entirely in memory, making it incredibly difficult for traditional antivirus solutions to detect and remove
• It included a fake CRYPTBASE.dll designed to blend in with legitimate Windows system files — a classic technique for avoiding suspicion
• The primary objective was stealing browser credentials by exploiting Google Chrome's IElevation COM interface to dump and decrypt saved passwords
• vx-underground noted that 'whoever developed this malware actually cares about evasion and made some intelligent decisions' — high praise (in a terrifying way) from security professionals

The Same Hackers Hit FileZilla Last Month

Here's where things get even more concerning. Security analysts discovered that the malicious payload was hosted on supp0v3.com — the exact same infrastructure used in a malware campaign targeting FileZilla users back in March 2026.

• This connection suggests a well-organized threat actor systematically targeting popular software download pages
• The attackers appear to have developed a playbook: compromise a trusted site's API, redirect downloads to their malicious server, and harvest credentials before anyone notices
• Both attacks focused on widely-used utilities that attract millions of downloads, maximizing potential victims
• The multi-staged approach and sophisticated evasion techniques indicate significant resources and expertise behind these operations

How to Know If You Were Affected (And What to Do About It)

The silver lining here is that most security software was actually doing its job. But if you downloaded anything from CPUID's site during that six-hour window, you'll want to take some precautions.

• Windows Defender flagged the malicious installer for most users, with VirusTotal showing 32 different security engines detecting the threat
• A dead giveaway was the installation interface itself — users reported seeing a Russian-language Inno Setup wizard, which should immediately raise red flags for English-speaking users
• If you bypassed security warnings and installed the suspicious file, immediately change all passwords stored in your browser — especially banking and email credentials
• Consider running a full system scan with multiple security tools and checking for any unfamiliar processes connecting to the internet

Supply Chain Attacks Are Becoming an Epidemic

This CPUID incident isn't isolated — it's part of a disturbing trend that's reshaping cybersecurity in 2026. According to recent reports, supply chain attacks have exploded in both frequency and sophistication.

• ReversingLabs' 2026 Software Supply Chain Security Report found malware in open-source platforms increased by 73% compared to last year
• Just days before the CPUID attack, the popular Axios npm package (with 70 million weekly downloads) was also compromised in a separate incident
• Security firm Group-IB now ranks supply chain attacks as the top global cyber threat, with both criminal organizations and nation-state actors exploiting trusted software distribution channels
• The attack surface is growing rapidly as developers rely on more third-party dependencies, and attackers are getting better at hiding malicious code in seemingly legitimate updates

How to Stay Safe When Even Trusted Downloads Are Risky

When official download pages can't be trusted, what's a security-conscious user to do? Here are practical steps to protect yourself in this new threat landscape.

• Always verify file hashes before running installers — legitimate developers typically publish SHA256 checksums you can compare against your downloaded file
• Keep your antivirus updated and never bypass security warnings without thoroughly investigating why they triggered
• Consider using package managers like Chocolatey or Scoop that provide additional verification layers for Windows software
• Be extra suspicious of unexpected installation prompts, especially if the interface looks different than expected or appears in a foreign language

“This malware is deeply trojanized, distributes from a compromised domain, performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs.”

— vx-underground, Cybersecurity Research Collective

“Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours... our signed original files were not compromised.”

— Samuel Demeulemeester, CPUID Developer

Final Thoughts

The CPUID breach serves as a stark reminder that in 2026, even downloading software from official sources requires vigilance. The attackers behind this incident are clearly sophisticated, well-resourced, and actively targeting the tools PC enthusiasts trust most. While CPUID has patched the vulnerability and is conducting a thorough investigation, this won't be the last supply chain attack we see. The best defense remains a combination of updated security software, healthy skepticism, and verification habits that might feel paranoid until the day they save your passwords from falling into the wrong hands.

Sources & Credits

Originally reported by Latest from Tom's Hardware