CPUID site served malware for hours
What happened
The CPUID website (CPU‑Z, HWMonitor) was manipulated and served malware to visitors for several hours, according to reporting on the incident. The coverage notes that widely distributed admin utilities can become a vector when tool installers are weaponised on engineering or admin endpoints (heise.de).
Why it matters
Attackers hijacked part of CPUID’s website on April 9 and 10 and served malware instead of CPU-Z and HWMonitor downloads for about six hours. (bleepingcomputer.com) CPUID’s Samuel Demeulemeester told Cybernews that a “secondary feature,” described as a side application programming interface, was compromised between April 9 and April 10, 2026. He said the company’s signed original files were not altered, but the main site “randomly display[ed] malicious links” during that window. (cybernews.com) BleepingComputer reported that the attackers changed download links on the official CPUID site, so visitors clicking for installers were sent to malicious executables instead. SecurityWeek said the files delivered a remote access trojan known as STX RAT. (bleepingcomputer.com, securityweek.com) CPU-Z and HWMonitor are hardware utilities: they read details like processor model, temperatures, voltages, fan speeds, and memory timings from a Windows computer. CPUID’s product pages describe CPU-Z as a system information tool and HWMonitor as a sensor-reading monitor for voltages, temperatures, power, current, and fan speed. (cpuid.com, cpuid.com) That makes the attack a software supply-chain problem: the program itself may be legitimate, but the delivery path is poisoned. The Register said the breach turned trusted links on a well-known admin site into a “coin toss” between real tools and malware. (theregister.com) Heise reported that system utilities like these are often used on engineering and administrator machines, which can hold credentials, network access, and sensitive configuration data. A trojanized installer on that kind of endpoint can give an attacker a foothold far beyond one desktop. (heise.de) CPUID said the breach was fixed after discovery, and current product pages for CPU-Z and HWMonitor are back online. The company has not posted a public incident report on its news page, but its site remains the official distribution point for both tools. (cybernews.com, cpuid.com, cpuid.com) The episode left a narrow but serious exposure window: users who downloaded from the official site during those April 9 to April 10 hours may have done everything “right” and still received malware. That is the part security teams now have to unwind. (hothardware.com, heise.de)
Key numbers
- Attackers hijacked part of CPUID’s website on April 9 and 10 and served malware instead of CPU-Z and HWMonitor downloads for about six hours.
- (bleepingcomputer.com) CPUID’s Samuel Demeulemeester told Cybernews that a “secondary feature,” described as a side application programming interface, was compromised between April 9 and April 10, 2026.
- (cybernews.com, cpuid.com, cpuid.com) The episode left a narrow but serious exposure window: users who downloaded from the official site during those April 9 to April 10 hours may have done everything “right” and still received malware.
What happens next
- (cpuid.com, cpuid.com) That makes the attack a software supply-chain problem: the program itself may be legitimate, but the delivery path is poisoned.
- (cybernews.com, cpuid.com, cpuid.com) The episode left a narrow but serious exposure window: users who downloaded from the official site during those April 9 to April 10 hours may have done everything “right” and still received malware.
Quick answers
What happened in CPUID site served malware for hours?
The CPUID website (CPU‑Z, HWMonitor) was manipulated and served malware to visitors for several hours, according to reporting on the incident. The coverage notes that widely distributed admin utilities can become a vector when tool installers are weaponised on engineering or admin endpoints (heise.de).
Why does CPUID site served malware for hours matter?
Attackers hijacked part of CPUID’s website on April 9 and 10 and served malware instead of CPU-Z and HWMonitor downloads for about six hours. (bleepingcomputer.com) CPUID’s Samuel Demeulemeester told Cybernews that a “secondary feature,” described as a side application programming interface, was compromised between April 9 and April 10, 2026. He said the company’s signed original files were not altered, but the main site “randomly display[ed] malicious links” during that window. (cybernews.com) BleepingComputer reported that the attackers changed download links on the official CPUID site, so visitors clicking for installers were sent to malicious executables instead. SecurityWeek said the files delivered a remote access trojan known as STX RAT. (bleepingcomputer.com, securityweek.com) CPU-Z and HWMonitor are hardware utilities: they read details like processor model, temperatures, voltages, fan speeds, and memory timings from a Windows computer. CPUID’s product pages describe CPU-Z as a system information tool and HWMonitor as a sensor-reading monitor for voltages, temperatures, power, current, and fan speed. (cpuid.com, cpuid.com) That makes the attack a software supply-chain problem: the program itself may be legitimate, but the delivery path is poisoned. The Register said the breach turned trusted links on a well-known admin site into a “coin toss” between real tools and malware. (theregister.com) Heise reported that system utilities like these are often used on engineering and administrator machines, which can hold credentials, network access, and sensitive configuration data. A trojanized installer on that kind of endpoint can give an attacker a foothold far beyond one desktop. (heise.de) CPUID said the breach was fixed after discovery, and current product pages for CPU-Z and HWMonitor are back online. The company has not posted a public incident report on its news page, but its site remains the official distribution point for both tools. (cybernews.com, cpuid.com, cpuid.com) The episode left a narrow but serious exposure window: users who downloaded from the official site during those April 9 to April 10 hours may have done everything “right” and still received malware. That is the part security teams now have to unwind. (hothardware.com, heise.de)
