CPU-Z and HWMonitor compromised

Original Article ↗ Hacker News Discussion ↗

Scope and Nature of the Compromise

  • Attack targeted CPUID’s website, not the core binaries on their own server.
  • Download links were altered to point to malicious executables hosted on Cloudflare R2.
  • A maintainer reported finding and fixing the “biggest breach,” restoring correct links and making things read-only while investigating.
  • Reported compromise window was a bit over six hours (between April 9–10, GMT).
  • Characterized by some as a watering-hole attack rather than a classic supply-chain compromise, though others argue it’s a “short supply chain” compromise of the website layer.

Affected Software and Confusion

  • Confirmed affected: CPU-Z and HWMonitor from CPUID.
  • Explicit clarification that HWMonitor is not the same as HWInfo, which is a different product/site.
  • Some concern about whether additional CPUID tools might also be affected; no clear answer in the thread.

Relation to Other Incidents

  • Same threat group is said to have hit FileZilla recently, initially via a fake domain; now they’ve escalated to compromising the real site’s API/download layer.
  • Commenters note a broader pattern of attackers timing intrusions around developers’ known absences, possibly leveraging availability info from chat/Discord.

Package Managers, Signing, and Repos

  • Many recommend using package managers (winget, Chocolatey, Linux repos) instead of direct downloads to reduce risk.
  • winget is praised for hash checks, Defender integration, GitHub-based manifests, and manual PR review, and credited with mitigating other hijacks (e.g., Notepad++).
  • Others are skeptical: winget is described by some as “just running setup.exe,” with limited protection if upstream sources are compromised or malicious updates pass shallow checks.
  • Discussion of Linux models: trusted distro repos vs. the “wild west” AUR, emphasizing reading build scripts.
  • Debate over Windows code-signing and GPG: some see central PKI as a strong defense; others argue it’s only marginally better than self-signing if keys and downloads live on the same compromised infrastructure.

Defensive Practices and Tools

  • File integrity monitoring tools (tripwire, OSSEC, aide, OpenBSD’s security(8)) and simple hash-check cron jobs are highlighted as effective.
  • Forensics hardware write-blockers and read-only media are cited as strong but niche mitigations.

User Behavior, AV, and Trust

  • Multiple stories of users ignoring Windows Defender warnings due to frequent false positives, especially with niche tools or “hack” software.
  • VirusTotal is commonly used to check downloads and even developers’ own releases.
  • Some foresee a shift toward paid or platform-integrated “trusted” tools; others fear this trend toward tighter “trusted computing” ecosystems.