some comments purportedly (i did not verify) from one of the maintainers:
>Dear All, I'm Sam and in I'm working with Franck on CPU-Z (I'm doing the validator). Franck is unfortunately OOO for a couple weeks. I'm just out of bed after worked on Memtest86+ for most the night, so I'm doing my best to check everything. As very first checks, the file on our server looks fine (https://www.virustotal.com/gui/file/6c8faba4768754c3364e7c40...) and the server doesn't seems compromised. I'm investigating further... If anyone can tell me the exact link to the page where the malware was downloaded, that would help a lot
>Thank you. I found the biggest breach, restored the links and put everything in read-only until more investigation is done. Seems they waited Franck was off and I get to bad after working on Memtest86+ yesterday :-/
>The links have been compromised for a bit more than 6 hours between 09/04 and 10/04 GMT :-/
so, it appears that the cpuid website was compromised, with links leading to fake installers.
For what it's worth - I used to write CPU reviews a while back - I can vouch for both Sam and Franck. Franck is the guy behind CPUID and Sam is a close friend of his, who was known for working at Canard PC on top of his work on Memtest : https://x86.fr/about-me/
when i say i didnt verify, i just mean that i ripped these quotes out of reddit, and did not check whether the reddit username that posted the comments is known to be an identity of Sam.
I didn't talk to him to verify, but at the very least it's his username (and the account is old enough at this point : https://www.reddit.com/user/Doc_TB/comments/), and his very Belgian english.
I know both are close and Sam handles his website, so since the links are fixed, I have near zero doubt it's Sam here on reddit.
Glad that they figured out the issue and fixed the links. When I first read this, I assumed it was actually the sketchy ads that are run on www.cpuid.com.
These are the real ads I just saw on a single download page for CPU-Z: "Continue to Download", "Install For windows 10, 11 32/64 bit Get Fast!", "Download", "Download now from PC APP STORE", or "Download Now For windows 10, 11 32/64 bit". Many of them appeared multiple times on the page.
The real download links don't even say they are download links.
I love the winget CLI in this situation. This is all you need: winget install CPUID.CPU-Z.
Personally I'm fine with the scammy ads. I feel most people who would use CPU-Z are pretty technical and should be able to tell the difference between an ad download button vs the real one.
That, and you should already be using an ad blocker.
It's the third time that I've read something about availability notifications on discord and other chats getting abused for timed attacks in the last few weeks.
After my Wordpress site got hacked way back through an exploit in one of the WP files, I set up a cron job that compared the hash of the static files with expected hash, and would fire off an email if they differed.
The script lived above the web root, so they'd have to escape that to tamper with it, and was generated by another script.
Saved me a couple of times since, well worth the 15 minutes I spent on setting it up.
tripwire was the orginal file integrity anti-virus/anti-tampering software from the security group (which turned into CERIAS) at Purdue led by Dr. Eugene "Spaff" Spafford.
For windows users, this is an advantage of using winget for installing things. It points to the installer hosted elsewhere, but it at least does a signature check. The config for the latest installer is listed here: https://github.com/microsoft/winget-pkgs/blob/master/manifes...
which you can install with:
winget install --exact --id CPUID.CPU-Z
(there is a --version flag where you can specify "2.19", which the signature there is a month old, so it should be safe to install that way)
Seems the installers hosted by them are fine. The links on the site have been changed to direct people towards Cloudflare R2 storage with various copies of malicious executables.
Looking forward to information down the line on how this came about.
same threat group hit filezilla last month with a fake domain. this time they didn't even need a fake domain, they compromised the real one's api layer. the attack is evolving from 'trick users into visiting the wrong site' to 'make the right site serve the wrong file.'
I've wondered about this while using CachyOS and their package installer. I don't know what repos do what, I don't really understand the security model of the AUR, and I wonder, if I download a package, how can I know it's legitimate or otherwise by some trusted user of the community vs. some random person?
Jesus. I see that post and comment section and I immediately expect to hear Joey telling me about how this ATM is Idaho started spraying cash after his hack of the Gibson. That is a real-life reproduction of the perception of hackers in films in the '90s.
Just my luck that I needed and downloaded CPU-Z yesterday at work, after not needing it for years. Fortunately my download is not detected as malicious by Virustotal, but what a scare.
Wait, people still download unsigned exes from PHP-era websites in 2026? And then act surprised when the download link starts pointing to malware?
At this point if your software isn't distributed through a repo with verifiable builds, you're basically running a malware lottery for your users. The only question is when, not if.
CPUID got lucky it was only 6 hours. Imagine if the attackers had better taste in filenames than "HWiNFO_Monitor_Setup.exe" lmao
105 comments
>Dear All, I'm Sam and in I'm working with Franck on CPU-Z (I'm doing the validator). Franck is unfortunately OOO for a couple weeks. I'm just out of bed after worked on Memtest86+ for most the night, so I'm doing my best to check everything. As very first checks, the file on our server looks fine (https://www.virustotal.com/gui/file/6c8faba4768754c3364e7c40...) and the server doesn't seems compromised. I'm investigating further... If anyone can tell me the exact link to the page where the malware was downloaded, that would help a lot
>Thank you. I found the biggest breach, restored the links and put everything in read-only until more investigation is done. Seems they waited Franck was off and I get to bad after working on Memtest86+ yesterday :-/
>The links have been compromised for a bit more than 6 hours between 09/04 and 10/04 GMT :-/
so, it appears that the cpuid website was compromised, with links leading to fake installers.
when i say i didnt verify, i just mean that i ripped these quotes out of reddit, and did not check whether the reddit username that posted the comments is known to be an identity of Sam.
I know both are close and Sam handles his website, so since the links are fixed, I have near zero doubt it's Sam here on reddit.
These are the real ads I just saw on a single download page for CPU-Z: "Continue to Download", "Install For windows 10, 11 32/64 bit Get Fast!", "Download", "Download now from PC APP STORE", or "Download Now For windows 10, 11 32/64 bit". Many of them appeared multiple times on the page.
The real download links don't even say they are download links.
I love the winget CLI in this situation. This is all you need:
winget install CPUID.CPU-Z.That, and you should already be using an ad blocker.
The script lived above the web root, so they'd have to escape that to tamper with it, and was generated by another script.
Saved me a couple of times since, well worth the 15 minutes I spent on setting it up.
As I recall, they recommended putting the expected values on a floppy disk and setting the ‘write protect’ tab, so the checksums couldn’t be changed.
https://docs.lib.purdue.edu/cstech/1084/
Had some drawbacks compared to using offline media of course, but in day to day operation on an air-gapped network it had its uses.
Also worth knowing is the "-V" (for very parameter) of rpm.
[1] https://docs.redhat.com/en/documentation/red_hat_enterprise_...
https://man.openbsd.org/security
> Saved me a couple of times since
Wait, how often does your Wordpress site get successfully hacked like that?
> after the download my Windows Defender instantly detecting a virus.
> (because i am often working with programms which triggering the defender i just ignored that)
This again shows the unfortunate corrosive effect of false-positives. Probably impossible to solve while aggressively detecting viruses though.
So two programs from CPUID. I wonder if there are more affected.
Same topic on Reddit at https://news.ycombinator.com/item?id=47718830 @dang
wingetfor installing things. It points to the installer hosted elsewhere, but it at least does a signature check. The config for the latest installer is listed here: https://github.com/microsoft/winget-pkgs/blob/master/manifes...which you can install with:
(there is a --version flag where you can specify "2.19", which the signature there is a month old, so it should be safe to install that way)Looking forward to information down the line on how this came about.
v1.63 updated 6 days ago https://github.com/microsoft/winget-pkgs/tree/master/manifes... via https://winstall.app/apps/CPUID.HWMonitor
v2.19 updated 15 days ago https://github.com/microsoft/winget-pkgs/tree/master/manifes... via https://winstall.app/apps/CPUID.CPU-Z
Supply chain attacks are easier because changelogs for most software are useless now if they are provided at all.
Maybe the 5-10% of true nerds will go find the l33t open source solutions, but most people will just use some paid solution.
Maybe Steam could build. Or in Windows. Or some SaaS solution for registry.
In exchange you just share your HW info
At this point if your software isn't distributed through a repo with verifiable builds, you're basically running a malware lottery for your users. The only question is when, not if.
CPUID got lucky it was only 6 hours. Imagine if the attackers had better taste in filenames than "HWiNFO_Monitor_Setup.exe" lmao