Between 15:00 UTC on April 9 and roughly 10:00 UTC on April 10, 2026, the CPUID website — the canonical source for CPU-Z and HWMonitor, two of the most widely downloaded hardware utilities on Windows — served malicious download links. For 19 hours, anyone who clicked "Download" from the primary CPUID pages was redirected to attacker-controlled installers dressed up as the real thing.
CPUID confirmed the intrusion shortly after remediation, attributing it to a compromise of a "secondary feature, basically a side API" that the main site trusted for download URL rendering.
What the attackers actually did
They did not breach the build system. They did not sign a malicious binary. They did something simpler and arguably more effective: they controlled the URL the main download button pointed to. The file served was attacker-chosen; the page around it — branding, versioning, screenshots — was untouched.
From a user's perspective:
- Visit cpuid.com. Legitimate domain. Valid TLS. Familiar UI.
- Click the CPU-Z download. Get a file with the expected name.
- Run it. Depending on the payload variant, receive an infostealer, a loader, or a rogue extension.
No browser warning. No certificate error. No DNS oddity. Every defensive signal that users and security teams are trained to watch pointed the right way.
Key insight: This is the "trusted utility" class of supply-chain attack. It skips the hard problem of compromising a signed build pipeline by attacking the softer problem of what the download button on the website points to.
Why this keeps working
1. Download pages are under-protected
The build system gets audited, signed, and monitored. The marketing site where users actually click "Download" is frequently built on a CMS with admin credentials shared across a small team, a handful of plugins, and a side API nobody remembers adding three years ago.
2. Users (and IT) do not verify hashes
CPUID publishes checksums. Approximately nobody checks them. Even enterprise software-deployment tooling often fetches the installer from the vendor URL and trusts whatever comes back.
3. "Reputable source" is doing too much work
Allowlists, SmartScreen reputation, and EDR file-reputation scoring all lean heavily on "this came from a known-good domain." When the known-good domain is the attack vector, those signals invert.
What to do if CPU-Z or HWMonitor was downloaded in your environment
Scope the window
Pull endpoint telemetry for any download or installation of CPU-Z / HWMonitor between April 9, 15:00 UTC and April 10, 10:00 UTC. A download before or after the window, from the cpuid.com domain, is almost certainly legitimate. A download inside the window deserves individual review.
Match artifacts
Compare installer hashes against the legitimate CPUID-published SHA-256. If your EDR can hunt by hash, query across the fleet — it takes minutes and pays for itself in one real find.
Contain and hunt
Treat any confirmed rogue install as a full endpoint compromise. Rotate that user's credentials, review browser session tokens, and look for post-exploitation beacons over the following 72 hours.
Defensive takeaways
- Internal software catalogs. Push utilities through your own package repository so engineers install from a channel you control, not the public internet.
- Automated hash verification. Deployment tooling should compare downloaded installers to vendor-published hashes before execution.
- Time-window hunting as a first-class playbook. When a supply-chain incident is announced, your muscle memory should be: identify the window, query EDR, triage by list.
- Monitor trusted-download chatter. Vendor compromise announcements surface on forums and X before formal advisories. Feed that signal into your threat-intel pipeline.
Bottom line: A 19-hour hijack on a freeware utility is not a headline incident for most CISOs. But it is the same class of attack as SolarWinds, 3CX, and Okta — just smaller. The defensive posture is the same: do not conflate "trusted source" with "trusted artifact."
Find Supply-Chain Exposure Before It Finds You
Lorikeet's Attack Surface Management watches vendor-side incidents and flags when trusted software in your environment becomes an attack vector — so you act inside the window, not after it.
