Popular CPU‑tool site was trojanized

For years, CPU-Z and HWMonitor were the kind of boring utility people downloaded without thinking, like a thermometer for your computer. On April 10, 2026, security reporters said the official CPUID site had been altered so those downloads pointed to malware instead of the expected installer. (bleepingcomputer.com) CPU-Z is a hardware information tool that shows your processor name, clock speed, motherboard, memory, and other parts. HWMonitor is a sensor reader that shows temperatures, voltages, fan speeds, and power use inside a Windows machine. (cpuid.com 1) (cpuid.com 2) That detail matters because this was not a fake lookalike site buying search ads. BleepingComputer reported that attackers got access to a CPUID application programming interface and changed the official site’s download links, so people visiting the real domain were handed poisoned files. (bleepingcomputer.com) This kind of break-in is called a supply-chain attack. Instead of picking one victim at a time, the attacker tampers with a trusted delivery point and waits for normal users, repair shops, and information technology teams to install the booby-trapped package themselves. (bleepingcomputer.com) Early analysis said one malicious package bundled the real CPU-Z files with a fake file named CRYPTBASE.dll. That trick is called Dynamic Link Library sideloading, and it works like slipping a forged spare part into a sealed tool kit so Windows loads the attacker’s file first. (gist.github.com) (theregister.com) Researchers also said the malware tried to run mostly in memory, which means it does more work in the computer’s short-term workspace instead of dropping obvious files onto the disk. That makes antivirus products more likely to miss it, because there is less for a scanner to grab and inspect later. (cybernews.com) The reports on April 10 pointed to the current Windows releases, including CPU-Z 2.19 and HWMonitor 1.63, as the versions users were seeing flagged or replaced. Some users were even getting oddly named installers instead of the normal file names, which was the first clue that the download path had been tampered with. (bleepingcomputer.com) (cyberwebspider.com) The ugly part of a compromise like this is trust. If a graphics card reviewer, overclocking hobbyist, or corporate technician grabs a tool from the official vendor page and runs it with administrator rights, the attacker inherits the same level of access the trusted tool was supposed to have. (cpuid.com) (bleepingcomputer.com) By later coverage on April 10, some outlets said CPUID had restored normal-looking downloads and claimed the original signed program files were not altered, with the attack affecting delivery rather than the software binaries themselves. That is better than a stolen code-signing key, but it still means anyone who downloaded during the compromised window has to treat that machine as exposed. (vpncentral.com) (bleepingcomputer.com) The practical advice on April 10 was simple: do not download CPU-Z or HWMonitor from CPUID until the vendor confirms the incident is fully contained, and if you already ran one of the suspect installers, isolate the machine and investigate for malicious Dynamic Link Library files, unexpected network traffic, and follow-on payloads. A utility that normally tells you your processor temperature turned into a reminder that even the safest-looking download button can become the attack. (bleepingcomputer.com) (theregister.com)