CPU‑Z and HWInfo installers carry malware

People downloading CPU-Z or HWMonitor on April 9 and April 10, 2026 were not just grabbing temperature and hardware tools in some cases. They were clicking trusted links on CPUID’s official site and getting a malicious installer instead. (bleepingcomputer.com) CPU-Z and HWMonitor are the kind of Windows utilities people use to check processor model names, clock speeds, voltages, and temperatures. They are common on gaming PCs, repair benches, and corporate test machines because they show what parts are inside a computer without opening the case. (cpuid.com) The attack did not appear to replace CPUID’s signed program files themselves. CPUID told Cybernews that a “secondary feature” or side application programming interface was compromised for about six hours between April 9 and April 10, 2026, and that the main site then randomly showed malicious download links. (cybernews.com) That kind of breach is called a supply-chain attack. Instead of breaking into your computer directly, the attacker poisons the place you trust to hand you the software in the first place, like swapping a package at the warehouse instead of picking a lock at your front door. (bleepingcomputer.com) The giveaway was strange enough that users noticed fast. Reports said the HWMonitor download path served a file named “HWiNFO_Monitor_Setup.exe,” Windows Defender flagged it, and some people saw a Russian-language Inno Setup installer instead of the normal CPUID package. (videocardz.com) There is a second layer of confusion here because HWiNFO is a real hardware-monitoring tool made by a different developer. Igor’s Lab said the most plausible explanation was not that HWiNFO itself had been hacked, but that something inside CPUID’s download environment had been manipulated to point at a third-party file. (igorslab.de) BleepingComputer reported that direct downloads of the clean file “hwmonitor_1.63.exe” were still possible from the underlying URL while the website links were poisoned. That means two people visiting the same official page could have very different outcomes depending on which link the compromised backend handed them. (bleepingcomputer.com) CPUID’s own pages showed HWMonitor 1.63 dated April 3, 2026 and CPU-Z 2.19 while the incident was unfolding. That made the attack more dangerous because nothing on the download page looked obviously fake or outdated to a normal user. (cpuid.com) (igorslab.de) The practical advice from security coverage was blunt: do not install fresh copies downloaded during the affected window, block the installers in managed environments, and treat any machine that ran the suspicious package as potentially compromised until it is checked. CPUID said the breach had been found and fixed, but also said the investigation was still ongoing. (bleepingcomputer.com) (cybernews.com) This is why software trust breaks so fast when a download channel is touched for even a few hours. CPU-Z and HWMonitor are not obscure tools, and a six-hour window on a site used by enthusiasts, technicians, and information technology staff is enough to turn a routine update into an incident response job. (theregister.com)