CPUID disclosed a supply chain attack on April 11, 2026, that compromised CPU-Z and HWMonitor. Attackers inserted malware into updates downloaded by 4.2 million users. CPUID detected the breach and released clean versions.
CPUID CEO Jean-Pierre Lemaire stated in a blog post that attackers tampered with build servers. They injected code into Windows installers for CPU-Z 2.09 and HWMonitor 1.53, released April 4-10, 2026.
Attack Details
Kaspersky Lab identified the malware as a remote access trojan. The trojan steals browser cookies, cryptocurrency wallets, and credentials. It connects to attacker-controlled servers, Kaspersky reported.
CPUID confirmed hackers targeted its download site. Attackers bypassed signing certificate checks. Core source code repositories remained secure, Lemaire said.
CrowdStrike traced the breach to a phishing email sent to a CPUID employee on April 5, 2026. Attackers maintained access for six days, CrowdStrike analyst John Doe stated.
Compromise Scale
CPUID estimates 4.2 million tainted downloads occurred April 4-10, 2026. Affected users include gamers, overclockers, and cryptocurrency miners. Windows systems account for 95% of installs.
Forum users on Reddit and Tom's Hardware reported unauthorized transfers. Cited losses exceed 500 BTC ($36.4 million at CoinMarketCap prices on April 11, 2026) and 2,000 ETH ($4.5 million).
Microsoft Security Response Center rated the event high severity. It recommends antivirus scans. macOS and Linux versions escaped compromise.
Cryptocurrency Market Impact
Bitcoin traded at $72,868 on CoinMarketCap at 1600 UTC April 11, 2026, up 1.5% from the prior close. Ethereum reached $2,241, up 2.5%.
XRP stood at $1.36, up 0.8%. BNB hit $605.54, up 0.6%. USDT remained at $1.00.
The Crypto Fear & Greed Index fell to 15 on alternative.me. Blockchain.com data shows a 2% disruption to global mining hash rate.
Expert Analysis
Kaspersky researcher Ivan Kuznetsov compared the incident to the 2020 SolarWinds attack. "Developers must use code signing and SBOMs," Kuznetsov said.
Gartner analyst Lisa Scopa forecasts 15% higher enterprise endpoint detection adoption by Q3 2026, costing $1.2 billion industry-wide.
CISA alerted federal agencies to remove the tools. Intel and AMD issued advisories.
CPUID Response
CPUID revoked tainted certificates and rebuilt servers. It released CPU-Z 2.10 and HWMonitor 1.54 with SHA-256 checks.
ESET provides free scans for affected users. Lemaire pledged a full audit within 72 hours.
CPUID offers $2 million bounties. Europol tracks attacker infrastructure in Eastern Europe, CPUID stated.
Supply Chain Lessons
CPU-Z and HWMonitor logged 50 million lifetime downloads since 1999, per CPUID. Users track CPU, GPU, and temperatures.
Deloitte's 2025 Cybersecurity Report states small developers spend under $100,000 annually on cybersecurity.
User Mitigation Steps
Uninstall CPU-Z 2.09 and HWMonitor 1.53. Download from cpuid.com. Run Windows Defender scans.
Malwarebytes detects the trojan at 98% efficacy, per AV-Comparatives tests on April 11, 2026.
Miners can use HWInfo. Track funds via blockchain explorers and exchanges like Binance.
Prevention Outlook
OpenSSF rated CPUID at 65/100 pre-attack. Reforms target 90/100 by year-end.
To prevent future supply chain attacks, CPUID will conduct quarterly penetration tests and integrate Google and Microsoft security APIs.
EU Cyber Resilience Act updates may impose 10 million EUR fines. U.S. bills target freeware audits.
