CPU-Z and HWMonitor compromised
by pashadee on 4/10/2026, 1:29:20 PM
<a href="https://xcancel.com/vxunderground/status/2042483067655262461" rel="nofollow">https://xcancel.com/vxunderground/status/2042483067655262461</a><p><a href="https://old.reddit.com/r/pcmasterrace/comments/1sh4e5l/warning_hwmonitor_163_download_on_the_official/" rel="nofollow">https://old.reddit.com/r/pcmasterrace/comments/1sh4e5l/warni...</a><p><a href="https://www.bleepingcomputer.com/news/security/supply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor/" rel="nofollow">https://www.bleepingcomputer.com/news/security/supply-chain-...</a>
https://www.theregister.com/2026/04/10/cpuid_site_hijacked/
Comments
by: john_strinlai
some comments purportedly (i did not verify) from one of the maintainers:<p>><i>Dear All, I'm Sam and in I'm working with Franck on CPU-Z (I'm doing the validator). Franck is unfortunately OOO for a couple weeks. I'm just out of bed after worked on Memtest86+ for most the night, so I'm doing my best to check everything. As very first checks, the file on our server looks fine (<a href="https://www.virustotal.com/gui/file/6c8faba4768754c3364e7c400a9d79ccbece156087be607583619f11a09cb064" rel="nofollow">https://www.virustotal.com/gui/file/6c8faba4768754c3364e7c40...</a>) and the server doesn't seems compromised. I'm investigating further... If anyone can tell me the exact link to the page where the malware was downloaded, that would help a lot</i><p>><i>Thank you. I found the biggest breach, restored the links and put everything in read-only until more investigation is done. Seems they waited Franck was off and I get to bad after working on Memtest86+ yesterday :-/</i><p>><i>The links have been compromised for a bit more than 6 hours between 09/04 and 10/04 GMT :-/</i><p>so, it appears that the cpuid <i>website</i> was compromised, with links leading to fake installers.
4/10/2026, 3:04:19 PM
by: quantummagic
> after the download my Windows Defender instantly detecting a virus.<p>> (because i am often working with programms which triggering the defender i just ignored that)<p>This again shows the unfortunate corrosive effect of false-positives. Probably impossible to solve while aggressively detecting viruses though.
4/10/2026, 3:30:57 PM
by: jl6
To our new generation of human shields willing to use software releases less than a month old, we salute your sacrifice.
4/10/2026, 3:38:25 PM
by: cachius
It's HWMonitor <a href="https://www.cpuid.com/softwares/hwmonitor.html" rel="nofollow">https://www.cpuid.com/softwares/hwmonitor.html</a> and not HWInfo <a href="https://www.hwinfo.com/" rel="nofollow">https://www.hwinfo.com/</a><p>So two programs from CPUID. I wonder if there are more affected.<p>Same topic on Reddit at <a href="https://news.ycombinator.com/item?id=47718830">https://news.ycombinator.com/item?id=47718830</a> @dang
4/10/2026, 2:55:59 PM
by: orthogonal_cube
Seems the installers hosted by them are fine. The links on the site have been changed to direct people towards Cloudflare R2 storage with various copies of malicious executables.<p>Looking forward to information down the line on how this came about.
4/10/2026, 3:00:28 PM
by: kyrra
For windows users, this is an advantage of using `winget` for installing things. It points to the installer hosted elsewhere, but it at least does a signature check. The config for the latest installer is listed here: <a href="https://github.com/microsoft/winget-pkgs/blob/master/manifests/c/CPUID/CPU-Z/2.19/CPUID.CPU-Z.installer.yaml" rel="nofollow">https://github.com/microsoft/winget-pkgs/blob/master/manifes...</a><p>which you can install with:<p><pre><code> winget install --exact --id CPUID.CPU-Z </code></pre> (there is a --version flag where you can specify "2.19", which the signature there is a month old, so it should be safe to install that way)
4/10/2026, 3:27:33 PM
by: cachius
This is bad. I like to install software with winget. Are the versions there also compromised?<p>v1.63 updated 6 days ago <a href="https://github.com/microsoft/winget-pkgs/tree/master/manifests/c/CPUID/HWMonitor/1.63" rel="nofollow">https://github.com/microsoft/winget-pkgs/tree/master/manifes...</a> via <a href="https://winstall.app/apps/CPUID.HWMonitor" rel="nofollow">https://winstall.app/apps/CPUID.HWMonitor</a><p>v2.19 updated 15 days ago <a href="https://github.com/microsoft/winget-pkgs/tree/master/manifests/c/CPUID/CPU-Z/2.19" rel="nofollow">https://github.com/microsoft/winget-pkgs/tree/master/manifes...</a> via <a href="https://winstall.app/apps/CPUID.CPU-Z" rel="nofollow">https://winstall.app/apps/CPUID.CPU-Z</a>
4/10/2026, 2:45:43 PM
by: kevincloudsec
same threat group hit filezilla last month with a fake domain. this time they didn't even need a fake domain, they compromised the real one's api layer. the attack is evolving from 'trick users into visiting the wrong site' to 'make the right site serve the wrong file.'
4/10/2026, 2:39:45 PM
by: amatecha
some good details here <a href="https://xcancel.com/vxunderground/status/2042483067655262461" rel="nofollow">https://xcancel.com/vxunderground/status/2042483067655262461</a>
4/10/2026, 3:07:35 PM
by: kevincloudsec
same threat group hit filezilla last month. they're specifically targeting utilities that tech-savvy users trust and download from official sources. the attack surface is the the api layer that generates download links, not the binary itself
4/10/2026, 2:38:04 PM
by: ASalazarMX
Just my luck that I needed and downloaded CPU-Z yesterday at work, after not needing it for years. Fortunately my download is not detected as malicious by Virustotal, but what a scare.
4/10/2026, 8:09:15 PM
by: VimEscapeArtist
Wait, people still download unsigned exes from PHP-era websites in 2026? And then act surprised when the download link starts pointing to malware?<p>At this point if your software isn't distributed through a repo with verifiable builds, you're basically running a malware lottery for your users. The only question is when, not if.<p>CPUID got lucky it was only 6 hours. Imagine if the attackers had better taste in filenames than "HWiNFO_Monitor_Setup.exe" lmao
4/10/2026, 8:31:23 PM
by: moomoo11
One interesting thing about all this stuff is that we may see a big swing towards paid/trusted solutions for all these type of things.<p>Maybe the 5-10% of true nerds will go find the l33t open source solutions, but most people will just use some paid solution.<p>Maybe Steam could build. Or in Windows. Or some SaaS solution for registry.<p>In exchange you just share your HW info
4/10/2026, 7:21:45 PM
by:
4/10/2026, 4:53:43 PM
by: BoredPositron
"Bug fixes and general improvements."<p>Supply chain attacks are easier because changelogs for most software are useless now if they are provided at all.
4/10/2026, 4:15:08 PM
by: unethical_ban
I've wondered about this while using CachyOS and their package installer. I don't know what repos do what, I don't really understand the security model of the AUR, and I wonder, if I download a package, how can I know it's legitimate or otherwise by some trusted user of the community vs. some random person?
4/10/2026, 3:32:13 PM
by: wang_li
Jesus. I see that post and comment section and I immediately expect to hear Joey telling me about how this ATM is Idaho started spraying cash after his hack of the Gibson. That is a real-life reproduction of the perception of hackers in films in the '90s.
4/10/2026, 2:56:30 PM
by: redoh
[dead]
4/10/2026, 9:03:16 PM
by: hybirdss
[dead]
4/10/2026, 11:49:20 PM
by: cachius
Grok post linking further sources: <a href="https://x.com/i/grok/share/3b870ceb9b424c01bf89afbe0de3bd81" rel="nofollow">https://x.com/i/grok/share/3b870ceb9b424c01bf89afbe0de3bd81</a>
4/10/2026, 3:33:27 PM
by:
4/10/2026, 3:05:54 PM