CPUID Website Breach Delivers Malware via Compromised Installers
On April 10, 2026, attackers breached the website of CPUID, the developer behind popular system tools HWMonitor and CPU-Z, replacing legitimate download files with malware-laced installers. The compromise was first reported by cybersecurity research group vx-underground, which identified that users attempting to download the latest versions of these tools were instead redirected to a malicious domain (supp0v3[.]com), previously linked to a March 2026 malware campaign.
The infected file, disguised as HWiNFO_Monitor_Setup.exe (replacing the legitimate hwmonitor_1.63.exe), deployed malware designed to steal browser credentials, particularly targeting Google Chrome’s IElevation COM interface to extract and decrypt saved passwords. The malware employed advanced evasion techniques to bypass endpoint detection and antivirus systems, indicating a sophisticated supply chain attack.
Samuel Demeulemeester, CPUID’s developer, confirmed that a side API was compromised for approximately six hours, during which the malicious files were distributed. While the breach has since been resolved and CPUID’s signed original files remained unaltered, the short window of exposure likely affected numerous users many of whom may have unknowingly installed the malware. Windows Defender reportedly blocked some instances, though users who bypassed warnings could have faced credential theft.
This incident follows a rising trend of supply chain attacks, where threat actors target trusted software distribution channels to spread malware. Recent examples include a compromised JavaScript library in March 2026, a hijacked 7-Zip download site in January 2026, and a Notepad++ update server breach in June 2025. The attack underscores the risks of even brief security lapses in widely used tools.
CPUID cybersecurity rating report: https://www.rankiteo.com/company/cpuid
"id": "CPU1775845486",
"linkid": "cpuid",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Numerous users of HWMonitor and '
'CPU-Z',
'industry': 'Technology',
'name': 'CPUID',
'type': 'Software Developer'}],
'attack_vector': 'Compromised software distribution channel',
'customer_advisories': 'Users advised to verify file authenticity and scan '
'systems for malware.',
'data_breach': {'data_encryption': 'Malware decrypted Chrome passwords',
'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes (saved passwords)',
'sensitivity_of_data': 'High (saved passwords)',
'type_of_data_compromised': 'Browser credentials'},
'date_detected': '2026-04-10',
'date_publicly_disclosed': '2026-04-10',
'date_resolved': '2026-04-10',
'description': 'On April 10, 2026, attackers breached the website of CPUID, '
'the developer behind popular system tools HWMonitor and '
'CPU-Z, replacing legitimate download files with malware-laced '
'installers. The compromise was first reported by '
'cybersecurity research group vx-underground, which identified '
'that users attempting to download the latest versions of '
'these tools were instead redirected to a malicious domain '
'(supp0v3[.]com). The infected file, disguised as '
'HWiNFO_Monitor_Setup.exe, deployed malware designed to steal '
'browser credentials, particularly targeting Google Chrome’s '
'IElevation COM interface to extract and decrypt saved '
'passwords. The malware employed advanced evasion techniques '
'to bypass endpoint detection and antivirus systems, '
'indicating a sophisticated supply chain attack.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Browser credentials (Google Chrome saved '
'passwords)',
'identity_theft_risk': 'Yes',
'operational_impact': 'Potential unauthorized access to user '
'accounts',
'systems_affected': 'User systems installing the malicious '
'installer'},
'initial_access_broker': {'entry_point': 'Side API compromise'},
'investigation_status': 'Resolved',
'lessons_learned': 'Rising trend of supply chain attacks targeting trusted '
'software distribution channels; even brief security '
'lapses can lead to widespread malware distribution.',
'motivation': 'Credential theft, data exfiltration',
'post_incident_analysis': {'corrective_actions': 'Secured side API, restored '
'legitimate files, and '
'removed malicious '
'installers',
'root_causes': 'Side API compromise allowing '
'malicious file distribution'},
'recommendations': 'Enhance monitoring of software distribution channels, '
'implement stricter API security, and educate users on '
'verifying file authenticity before installation.',
'references': [{'date_accessed': '2026-04-10', 'source': 'vx-underground'}],
'response': {'communication_strategy': 'Public disclosure via developer '
'confirmation',
'containment_measures': 'Breach resolved, malicious files '
'removed',
'remediation_measures': 'Restored legitimate files, secured side '
'API'},
'title': 'CPUID Website Breach Delivers Malware via Compromised Installers',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Side API compromise'}