(Updated) CPUID Offline After Reports of Malware in CPU-Z and HWMonitor Downloads

Supply‑chain attacks have moved beyond high‑profile enterprise software to everyday utilities that millions trust. CPU‑Z and HWMonitor are staples for hardware enthusiasts, system builders, and support technicians, making any compromise a potential gateway to a broad user base. The April 10 reports of malicious executables surfaced when users noticed an unexpected file name—HWiNFO_Monitor_Setup.exe—paired with Defender warnings. Such anomalies often signal a redirection of download traffic, a tactic attackers use to hijack legitimate distribution channels without altering the visible website for long periods.

Technical forensics point to a Cloudflare R2 object storage bucket with a randomized identifier, a stark departure from CPUID’s historic use of its own domain or a stable CDN. This shift suggests either a temporary server compromise or a malicious injection into the site’s download links. The payload, identified by multiple VirusTotal engines, functions as an information stealer, scraping saved browser passwords, cookies, and session tokens. While the exact scope remains unclear, the presence of a Russian‑language installer dialog hints at a possibly state‑linked threat actor leveraging the high trust placed in CPUID’s tools to harvest credentials en masse.

For users and IT departments, the immediate response is to halt fresh installations from the affected links and verify existing binaries against known hashes published by CPUID, if available. The broader lesson for software vendors is the critical need for immutable distribution mechanisms—such as signed URLs, reproducible builds, and transparent checksum publishing—to mitigate the risk of covert redirection. As the industry grapples with an uptick in supply‑chain compromises, vigilance around even the most benign utilities becomes a cornerstone of cyber‑hygiene.