Loading...
Loading...
Recent reports highlight a growing supply-chain risk where attackers don’t need to alter source code to compromise users. CPUID confirmed that its website briefly served malicious installers for CPU-Z and HWMonitor after a secondary backend API was breached for about six hours on April 9–10, 2026. Download links were randomly swapped to credential-stealing malware featuring a fake CRYPTBASE.dll, PowerShell-based in-memory execution, .NET payload compilation, and browser credential theft. The incident mirrors broader warnings in the Rust ecosystem: as dependency networks expand, operational defenses—provenance controls, vendoring, private registries, and audits—become essential.
CPUID's website briefly served malicious installers for tools like HWMonitor and CPU-Z after attackers compromised a secondary backend API for about six hours on April 9–10, 2026. The vendor says signed original files and the build process were not altered, but download links were randomly swapped to point at credential‑stealing malware. Analysis from vx-underground shows a malicious installer that deployed a fake CRYPTBASE.dll, used PowerShell and in‑memory techniques, compiled a .NET payload, injected into processes, and targeted browser credentials via Chrome's IElevation COM interface. Infrastructure overlaps with prior supply‑chain campaigns suggest broader malicious intent. CPUID fixed the issue but has not disclosed entry details or the number of impacted users.
A Kerkour blog post highlighted on Hacker News warns that Rust’s supply chain could become a major attack vector as the ecosystem grows. The discussion centers on how attackers might compromise crates, registry metadata, or distribution channels to introduce malicious code into Rust projects. Commenters recommend pragmatic mitigations: vendoring dependencies, hosting audited copies in private registries (e.g., Gitea/Cargo registries), and auditing third-party crates rather than relying on implied trust. This matters because Rust’s safety guarantees don’t protect against malicious or tampered dependencies, and many organizations depend on open-source crates for critical infrastructure. The piece underscores operational controls—dependency management, provenance, and auditing—as primary defenses against supply-chain compromise.
CPU-Z and HWMonitor Compromised
CPUID confirmed a six-hour breach of a secondary backend API between April 9–10 that caused its website to randomly serve malicious installers in place of legitimate HWMonitor and CPU-Z downloads. The site owners say signed original binaries and the build process were not altered, but swapped download links led users to malware-laden installers that included a fake CRYPTBASE.dll, in-memory PowerShell activity, on‑host .NET compilation and browser credential theft via Chrome’s IElevation COM interface. Analysis links the infrastructure to prior supply-chain campaigns (including one targeting FileZilla), underscoring that attackers can weaponize peripheral services to stealthily distribute credential‑stealers. CPUID says the issue is fixed but hasn’t disclosed access details or the number of affected users.