Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 11, 2026 · 5 min read

Hackers Hijacked CPU-Z and HWMonitor Downloads for Six Hours—The Malware Stole Browser Passwords

Attackers compromised CPUID's download infrastructure and replaced legitimate installers with credential stealing malware. The signed binaries were never touched.

Close up of a computer motherboard CPU chip with warning indicators symbolizing a supply chain compromise

What Happened

On April 9 and 10, 2026, attackers compromised CPUID's download infrastructure and replaced the official download links for CPU-Z and HWMonitor with trojanized installers. For approximately six hours, anyone who downloaded these popular system utilities from CPUID's official website received malware instead.

CPU-Z and HWMonitor are among the most widely used hardware diagnostic tools on Windows. CPU-Z identifies processors, memory, and motherboards. HWMonitor tracks temperatures, voltages, and fan speeds. Together they have been downloaded hundreds of millions of times.

How the Attack Worked

The attackers did not compromise the actual software builds or signing process. Instead, they gained access to a secondary API that CPUID uses to serve download links on its website. By manipulating this API, they redirected users to malicious files hosted on Cloudflare R2 storage.

CPUID confirmed the issue: "a secondary feature (basically a side API) was compromised for approximately six hours, causing the main website to randomly display malicious links." The company emphasized that its signed original files were never touched.

Users attempting to download HWMonitor 1.63 were served a file called "HWiNFO_Monitor_Setup.exe," a name designed to look plausible but that does not match any legitimate CPUID product. The malicious installer used an Inno Setup wrapper with Russian language strings, a detail quickly flagged by security researchers.

What the Malware Does

Security researchers identified the payload as a multistage infostealer built to extract saved credentials from web browsers. The attack chain works like this:

  • Stage 1: The fake installer drops a malicious DLL named CRYPTBASE.dll, designed to masquerade as a legitimate Windows system component.
  • Stage 2: The DLL connects to a command and control server to download additional payloads, operating primarily in memory using PowerShell to avoid detection.
  • Stage 3: The malware targets Google Chrome's IElevation COM interface to dump and decrypt saved passwords from the browser's credential store.
  • Stage 4: Stolen credentials and session tokens are exfiltrated to attacker controlled infrastructure.

The malware specifically targeted 64 bit HWMonitor installations and used process injection and .NET compilation on the victim machine to evade endpoint detection and response (EDR) tools.

Part of a Larger Campaign

Researchers linked the attack infrastructure to earlier campaigns, including one that targeted FileZilla users with similar techniques. This suggests the CPUID compromise is part of an ongoing operation that specifically targets popular software download pages to distribute credential stealing malware.

Supply chain attacks on software distribution channels have become increasingly common. The technique is effective because users trust official download pages, and most people do not verify file hashes or check digital signatures before running an installer. A similar pattern was seen in the recent Mercor AI breach, where attackers exploited a brief window in a Python package update to steal 4TB of data.

What You Should Do

If you downloaded CPU-Z or HWMonitor between April 9 and April 10, 2026, take these steps immediately:

  • Check the filename. If you downloaded a file called "HWiNFO_Monitor_Setup.exe" from CPUID's site, you received the malicious version. Delete it immediately.
  • Run a full antivirus scan. If you executed the file, scan your system with an updated antivirus tool. Several vendors now detect the payload as Tedy or Artemis Trojan variants.
  • Change all saved passwords. The malware targets browser credential stores. If you ran the installer, assume your saved passwords in Chrome and other browsers are compromised. Change passwords for critical accounts starting with email and banking.
  • Enable two factor authentication. Even with stolen passwords, two factor authentication can prevent account takeover. Prioritize email, financial, and social media accounts.
  • Verify clean downloads. CPUID has fixed the issue and now serves legitimate files. If you need these tools, download them again and verify the digital signature before running.

Why Software Downloads Are a Privacy Weak Point

This attack highlights a broader problem: the software you install has access to everything on your machine, including your browser's saved credentials, session tokens, cookies, and browsing history. A compromised installer does not just infect your computer. It can steal credentials that give attackers access to your email, financial accounts, and every service you log into.

Stolen email credentials are particularly dangerous. Once an attacker has access to your inbox, they can reset passwords on other accounts, read sensitive correspondence, and use your identity for phishing attacks against your contacts.

The Bottom Line

Six hours was all it took. Attackers compromised a download API, swapped clean installers for credential stealing malware, and disappeared before most users noticed. CPUID has restored clean files, but anyone who downloaded during that window may have already lost their browser passwords. Verify your downloads, change your credentials, and treat official download pages with the same skepticism you would treat any link in an unsolicited email.