Scan your cooling tools — CPU‑Z sites hacked

CPU-Z and HWMonitor are the little dashboard apps PC builders use to read chip names, clock speeds, fan speeds, temperatures, voltages, and memory details straight from the machine’s sensors. CPU-Z’s own site says CPU-Z reports processor, motherboard, and memory data, and HWMonitor says it reads voltages, temperatures, powers, currents, and fan speeds. (cpuid.com 1) (cpuid.com 2) That is why this incident landed so hard on April 10, 2026: people thought they were downloading a thermometer and got something closer to a burglar’s toolkit. BleepingComputer reported that attackers changed download links on CPUID’s official site so CPU-Z and HWMonitor visitors were served malicious executables instead. (bleepingcomputer.com) The trick was not “the file on a random mirror was bad.” The trick was “the official page pointed somewhere else,” with users reporting that the download portal redirected to Cloudflare R2 storage and fetched a trojanized copy of HWiNFO, which is a different hardware-monitoring tool from a different developer. (bleepingcomputer.com) Researchers said the malicious file name was HWiNFO_Monitor_Setup, and users described it as launching a Russian-language installer wrapped in Inno Setup, which stood out because that is not what people expected from CPUID’s normal downloads. BleepingComputer also reported that the clean file `hwmonitor_1.63.exe` was still reachable by direct link, which suggests the original binaries stayed intact while the website’s delivery path was poisoned. (bleepingcomputer.com) This kind of attack is called a supply-chain attack, which is the software version of swapping the label on a trusted box after it leaves the factory. Instead of breaking your computer first, the attacker breaks the route you use to get software onto it. (bleepingcomputer.com) CPUID told BleepingComputer that a “secondary feature,” described as a side application programming interface, was compromised for about six hours between April 9 and April 10, 2026. CPUID said the breach caused the main website to “randomly display malicious links,” while its signed original files were not compromised. (bleepingcomputer.com) That detail changes what users should look for. If you downloaded during that April 9 to April 10 window, checking only whether CPUID’s real installer exists now is not enough, because the danger was the link you were handed at the time, not just the version number on the product page. (bleepingcomputer.com) The malware itself does not look like a throwaway prank. BleepingComputer said researchers saw a multi-stage loader that operated almost entirely in memory, used file masquerading, and tried to evade antivirus and endpoint detection tools, with VirusTotal showing detections from 20 security engines on the downloaded archive. (bleepingcomputer.com) The immediate checklist is boring but concrete: if you grabbed CPU-Z or HWMonitor from CPUID around April 9 or April 10, scan the machine, remove the suspect installer, and compare any file you kept against a known-good checksum from the vendor before running it again. CPUID’s pages still offer both setup and zip packages for CPU-Z and HWMonitor, which gives users more than one artifact to verify. (cpuid.com 1) (cpuid.com 2) (bleepingcomputer.com) By the time CPUID spoke to BleepingComputer on April 10, the company said the breach had been fixed and clean versions were being served again. The bigger lesson is older than this hack: even trusted utility sites can become the weakest link for a few hours, and a few hours is enough when millions of users treat a hardware tool like a routine download. (bleepingcomputer.com)