CPUID, the developer behind ubiquitous PC diagnostic tools CPU-Z and HWMonitor, suffered a supply chain compromise that served malware to users for approximately six hours between April 9 and 10, 2026. Attackers hijacked a secondary API on the cpuid.com website, randomly redirecting download links—including those triggered by in-app updates—to a trojanized installer masquerading as HWiNFO_Monitor_Setup.exe. This Russian-language executable, flagged by multiple antivirus engines, deploys multi-stage infostealer malware focused on browser credentials and potentially cryptocurrency wallets.

The malware evades detection through in-memory execution, PowerShell payloads, and NTDLL proxying via a .NET assembly, with one sample hash—eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f—detected by over 30 VirusTotal engines. Direct links to signed originals like hwmonitor_1.63.exe remained clean, but the compromised chain affected HWMonitor version 1.63, CPU-Z, and others. This follows a similar attack on FileZilla users last month using the same infrastructure, suggesting a pattern targeting popular utilities.

CPUID developer Samuel Demeulemeester, who was on holiday during the breach, stated: "Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours... The breach was found and has since been fixed." Reddit threads in r/pcmasterrace and r/AMDHelp exploded with user reports of Windows Defender quarantines and paranoia over recent downloads, though many scans came back clean if auto-updates were disabled.

Users who downloaded or updated during the window should run full antivirus scans, verify file hashes, and rotate credentials. The incident underscores a harsh reality: even gold-standard tools carry risks when backend APIs become the weak link. Supply chain audits aren't optional—they're survival.