
On April 9-10, 2026, the official website of CPUID — the company behind the hugely popular hardware monitoring tools CPU-Z and HWMonitor — was compromised by unknown threat actors. For approximately six hours, users who downloaded CPU-Z or HWMonitor from the official cpuid.com website received trojanized installers that deployed STX RAT, a sophisticated remote access trojan that operates almost entirely in memory.
This is the second major supply chain attack in two weeks, following the Axios npm compromise on March 31. The pattern is clear: attackers are increasingly targeting the distribution infrastructure of trusted software rather than attacking end users directly.
The signed original files were not compromised — the attackers modified the download links, not the software itself. Users who downloaded during the 6-hour window received trojanized installers from attacker-controlled infrastructure.
STX RAT is a multi-stage remote access trojan described by malware analysts at vx-underground as "deeply trojanized and operating almost entirely in memory." The malware:
Kaspersky identified more than 150 confirmed victims, primarily individuals but also organizations in retail, manufacturing, consulting, telecommunications, and agriculture. Most infections were in Brazil, Russia, and China — but any user worldwide who downloaded from cpuid.com during the window is potentially affected.
Check your browser download history and any software installation logs:
# Windows — check recent downloads folder
dir %USERPROFILE%\Downloads\*cpu-z* /od
dir %USERPROFILE%\Downloads\*hwmonitor* /od
# Check if CPU-Z or HWMonitor was installed recently
Get-WmiObject -Class Win32_Product | Where-Object {
$_.Name -like "*CPU-Z*" -or $_.Name -like "*HWMonitor*"
} | Select-Object Name, InstallDate, Version
Since the malware operates in memory, traditional file-based scanning may miss it. Look for:
# Check PowerShell logs for suspicious execution around the compromise window
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104; StartTime='2026-04-09'; EndTime='2026-04-11'} -MaxEvents 50 |
Where-Object { $_.Message -like "*Invoke-Expression*" -or $_.Message -like "*IEX*" -or $_.Message -like "*downloadstring*" } |
Select-Object TimeCreated, Message | Format-List
If you downloaded CPU-Z or HWMonitor during the compromise window:
Two major supply chain attacks in two weeks — Axios (March 31) and CPUID (April 9) — targeting completely different software ecosystems (npm packages vs desktop utilities) with the same strategy: compromise the distribution infrastructure and let trust do the rest.
For Houston businesses, the lesson is consistent: application allowlisting is the most effective control against supply chain attacks. A Privileged Access Management (PAM) platform with allowlisting blocks any executable that isn't on your approved list — even if it was downloaded from a "trusted" source. The trojanized CPU-Z installer wouldn't execute on a PAM-protected endpoint because the modified binary doesn't match the approved hash.
Need help checking your systems? LayerLogix can scan your environment for STX RAT indicators. Call 713-571-2390.
Related: Axios NPM Supply Chain Attack | Zero Trust with PAM | Threat Remediation
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.