The website of CPUID, the maker of popular hardware monitoring tool HWMonitor and system information tool CPU-Z, has been breached by unknown attackers, and those who downloaded these tools were instead served with an infected file. According to vx-underground on X (expand the tweet below), a cybersecurity research collective, the threat actor compromised cpuid.com, and users who were trying to download the latest version of the tool were served with a compromised installer from supp0v3-dot-com, which was also used in a malware campaign launched in March 2026. A Reddit user said that this replaced the downloaded file for the latest version of HWMonitor, named hwmonitor_1.63.exe, with HWiNFO_Monitor_Setup.exe.
Yeah, so pretty much this https://t.co/Mwm1F8xKWT malware is a pain in the ass. I'd have to spend a good bit of time trying to bonk it with a stick and reconstruct some of it. Whoever developed this malware actually cares about evasion and made some intelligent decisions when… pic.twitter.com/XDJEhN4FDeApril 10, 2026
It seems that the primary goal of the malware was to steal browser credentials, especially as it was trying to break into Google Chrome’s IElevation COM interface to try dumping and decrypting saved passwords. The malware is relatively complex, with vx-underground saying in another X post that it was deeply trojanized and uses interesting methods to evade endpoint detection and response and antivirus systems. The hackers behind it also compromised one of the most popular tools used by PC enthusiasts and professionals to execute a supply chain attack.
The developer behind these tools, Samuel Demeulemeester, released a statement on X, saying that the investigation into this breach is ongoing, but it seems that a side API was compromised for about six hours, causing the website to link to the malicious files. However, CPUID’s signed original files were not compromised, and the breach has since been fixed.
Given the popularity of HWMonitor and CPU-Z, many people have probably downloaded the infected files during that relatively short time frame. Windows Defender usually caught the malware before it was installed, and those who bypassed it would probably have noticed the weird Russian install program. However, there’s still a small chance that someone went through with the installation and got their system and stored credentials compromised.
Supply chain attacks have recently been gaining popularity as a method for spreading malware. For example, one of the most popular libraries in JavaScript was recently hit to deploy cross-platform remote access trojans in late March, while an unofficial 7-Zip website was compromised in January 2026 to infect PCs downloading the popular compression utility and make it part of a proxy botnet. Even updated servers could be compromised — this is what happened to Notepad++ in June 2025, where users who were updating the app using its built-in updater were infected.
