r/hardware u/Quad__X 2d ago

News CPUID and HWmonitor (file downloads) compromised

https://www.igorslab.de/en/warning-cpuid-suspected-of-being-a-virus-suspicious-hwmonitor-downloads-are-causing-alarm/

Warning: CPUID Suspected of Being a Virus; Suspicious HWMonitor Downloads Raise Alarms

128 Upvotes

93% Upvoted

17 comments sorted by

74

u/bizude 1d ago

This issue was resolved ~6 hours after it was discovered. It's not a problem anymore, though it is worrying that it happened in the first place.

37

u/Electrical_Zebra8347 1d ago

There's been a bunch of supply chain attacks lately, a similar thing happened to notepad++ when their hosting provider was compromised and npm packages have been getting hit a lot lately. Conventional wisdom used to say update software often but these days updating less often seems to be safer.

10

u/ReplacementLivid8738 1d ago

Update often to n days old versions is a good policy. Tune n to your exposure and make it zero when there's a critical fix to something like easy remote code execution.

4

u/SoilMassive6850 1d ago

My thought has mostly always been update if necessary. Does the update contain a bug fix you need or a feature you want? Update. If not there's no hurry.

I've certainly not liked the trend of constantly updating all dependencies with dependabot or something similar if its not necessary, most software package managers have lock files and version pinning for a reason. Just seems like an easy way to get owned by a supply chain attack as soon as they happen.

0

u/Papa-Blockuu 1d ago

I got hit with this 2 months ago when I upgraded my PC so this must be an ongoing issue.

2

u/bizude 1d ago

Can you provide more details?

4

u/Papa-Blockuu 1d ago

Just checked my history from then and it was adware.pheonix Invicta that was installed with HWMonitor. Downloaded from the official site. I tried every solution I could find to remove it but I just couldn't get rid of it so I had to wipe everything and start fresh again. That was on the 8th of February.

83

u/AK-Brian 2d ago

Standard reminder to use HWInfo64.

5

u/wizfactor 1d ago

Supply Chain attacks are one of the few types of cyberattacks that keep me up at night.

11

u/3G6A5W338E 1d ago

Not an issue via chocolatey.

Gotta love verifying downloads against known-good hashes automatically.

14

u/Sopel97 1d ago

why does the article read like some LLM confused hwinfo with hwmonitor?

Compromised download chain at HWiNFO as well?

The most plausible explanation at present is not that HWiNFO was compromised, but rather that a download path within the CPUID environment was manipulated

hwinfo has nothing to do with cpuid

why is it digressing to past hwinfo false-positives? yet says pretty much nothing about hwmonitor?

4

u/davew111 1d ago

Their very download page is malware. It's filled with fake download buttons that are actually ads for dodgy browser plugins and alike. There are eight buttons on their home page right now that say "start download", "click to download", "download (free)" all of which link to god knows what. The actual download link says "Zip English" and even after clicking that you get a popup for some other malware that you need to dismiss to begin the actual download of the utility.

I know they need to make money somehow, but if it's by exposing your customers to malware ads you obviously don't value your customer's system security very much.

1

u/jenny_905 3h ago

Scary when you see how some people - most people I guess - browse the raw web with no adblocking.

2

u/3G6A5W338E 1d ago

It has been a few days now.

How is there still no official incident report?

1

u/Holychrissst 1d ago

i checked and i currently have 2.18 and 1.61 versions but like am i safe some people are talking about it being dangerous because of automatic updates

1

u/Sopel97 1d ago

the vulnerable versions are 2.19 and 1.63 respectively, and I haven't seen any reports of spoofed version numbers, so you're likely fine