Homelab tool compromise warning
A widely shared social post warned that downloads for CPU‑Z and HWMonitor were compromised, advising homelab users to verify tools and installations. The alert circulated on social platforms and flagged the risk to personal lab environments. (x.com)
People who downloaded CPU-Z or HWMonitor from CPUID’s website on April 9 or April 10 may have received malware instead of the real tools. (bleepingcomputer.com) CPUID said a “secondary feature,” which it described as a side application programming interface, was compromised for about six hours between April 9 and April 10, 2026. The company said its signed original files were not altered, but the website randomly showed malicious download links during that window. (techpowerup.com) CPU-Z and HWMonitor are Windows utilities that show hardware details such as processor model, temperatures, voltages, fan speeds, and clock rates. Homelab users and PC builders often use them to check system health after upgrades, overclocking, or new server builds. (cpuid.com) Researchers said the attack changed where the download buttons pointed, not the software build process itself. One reported example sent users looking for HWMonitor 1.63 to a file named “HWiNFO_Monitor_Setup.exe,” a different product name that tipped off users that something was wrong. (theregister.com) Kaspersky said the compromised site delivered trojanized versions of CPU-Z 2.19, HWMonitor 1.63, HWMonitor Pro 1.57, and PerfMonitor 2.04 on April 9, 2026. The firm said the malicious packages used a technique called dynamic-link library side-loading, which hides a bad file next to a legitimate signed program so Windows loads both together. (securelist.com) Kaspersky said the malicious file was named “CRYPTBASE.dll” to resemble a normal Windows component, then contacted an external server to pull down more code. The final payload was STX RAT, a remote access trojan that can steal data and let attackers control an infected machine. (thehackernews.com) The victim count was not limited to hobbyists. Kaspersky said it identified more than 150 victims, mostly individuals, with infections also seen in retail, manufacturing, consulting, telecommunications, and agriculture, and with most detections in Brazil, Russia, and China. (securelist.com) The warning spread quickly because homelab machines often hold browser logins, remote management tools, Secure Shell keys, and network dashboards in the same place as testing software. A poisoned download on a trusted site can turn a routine temperature check into credential theft. (theregister.com) CPUID said the breach has been fixed, but anyone who downloaded those tools during the affected period needs to verify what they installed, not just what site they used. In this case, the danger was the download link itself. (bleepingcomputer.com)
