TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

58% Positive

Analyzed from 2938 words in the discussion.

Trending Topics

#software#https#download#com#malware#winget#package#cpu#windows#don

Discussion (104 Comments)Read Original on HackerNews

john_strinlai3 days ago
some comments purportedly (i did not verify) from one of the maintainers:

>Dear All, I'm Sam and in I'm working with Franck on CPU-Z (I'm doing the validator). Franck is unfortunately OOO for a couple weeks. I'm just out of bed after worked on Memtest86+ for most the night, so I'm doing my best to check everything. As very first checks, the file on our server looks fine (https://www.virustotal.com/gui/file/6c8faba4768754c3364e7c40...) and the server doesn't seems compromised. I'm investigating further... If anyone can tell me the exact link to the page where the malware was downloaded, that would help a lot

>Thank you. I found the biggest breach, restored the links and put everything in read-only until more investigation is done. Seems they waited Franck was off and I get to bad after working on Memtest86+ yesterday :-/

>The links have been compromised for a bit more than 6 hours between 09/04 and 10/04 GMT :-/

so, it appears that the cpuid website was compromised, with links leading to fake installers.

cwizou3 days ago
For what it's worth - I used to write CPU reviews a while back - I can vouch for both Sam and Franck. Franck is the guy behind CPUID and Sam is a close friend of his, who was known for working at Canard PC on top of his work on Memtest : https://x86.fr/about-me/
john_strinlai3 days ago
that is pretty cool!

when i say i didnt verify, i just mean that i ripped these quotes out of reddit, and did not check whether the reddit username that posted the comments is known to be an identity of Sam.

cwizou3 days ago
I didn't talk to him to verify, but at the very least it's his username (and the account is old enough at this point : https://www.reddit.com/user/Doc_TB/comments/), and his very Belgian english.

I know both are close and Sam handles his website, so since the links are fixed, I have near zero doubt it's Sam here on reddit.

edp2 days ago
So strange to see you commenting on HN, I was an avid reader of Joystick back in the day !
pseudosavant3 days ago
Glad that they figured out the issue and fixed the links. When I first read this, I assumed it was actually the sketchy ads that are run on www.cpuid.com.

These are the real ads I just saw on a single download page for CPU-Z: "Continue to Download", "Install For windows 10, 11 32/64 bit Get Fast!", "Download", "Download now from PC APP STORE", or "Download Now For windows 10, 11 32/64 bit". Many of them appeared multiple times on the page.

The real download links don't even say they are download links.

I love the winget CLI in this situation. This is all you need: `winget install CPUID.CPU-Z`.

sysworld3 days ago
Personally I'm fine with the scammy ads. I feel most people who would use CPU-Z are pretty technical and should be able to tell the difference between an ad download button vs the real one.

That, and you should already be using an ad blocker.

SV_BubbleTime2 days ago
What have they done to you? You do not need to be conditioned to accept this.
BoredPositron3 days ago
It's the third time that I've read something about availability notifications on discord and other chats getting abused for timed attacks in the last few weeks.
magicalhippo3 days ago
After my Wordpress site got hacked way back through an exploit in one of the WP files, I set up a cron job that compared the hash of the static files with expected hash, and would fire off an email if they differed.

The script lived above the web root, so they'd have to escape that to tamper with it, and was generated by another script.

Saved me a couple of times since, well worth the 15 minutes I spent on setting it up.

michaelt3 days ago
Back in the 1990s, there was a tool called ‘tripwire’ that checked key files against expected checksums.

As I recall, they recommended putting the expected values on a floppy disk and setting the ‘write protect’ tab, so the checksums couldn’t be changed.

daneel_w3 days ago
Related: OpenBSD does this daily as part of running security(8) and its coverage can be expanded to include pretty much anything.

https://man.openbsd.org/security

embedding-shape3 days ago
> Saved me a couple of times since

Wait, how often does your Wordpress site get successfully hacked like that?

Aurornis3 days ago
Can you share what those other attacks were? It's helpful to study additional attacks to know what to look for.
cluckindan3 days ago
Any idea how the compromise was achieved?
john_strinlai3 days ago
i have no clue. i yoinked these quotes from the reddit thread where sam replied.

i am sure that we will see a write-up once the investigation concludes. it hasnt even been a day yet though, so i imagine sam is still in damage-control mode rather than root cause analysis mode.

quantummagic3 days ago
> after the download my Windows Defender instantly detecting a virus.

> (because i am often working with programms which triggering the defender i just ignored that)

This again shows the unfortunate corrosive effect of false-positives. Probably impossible to solve while aggressively detecting viruses though.

vegadw3 days ago
I think to an extent Microsoft is the guilty party here. For may cracks Windows Defender will trip saying "Win32/Keygen" even if there's no actual malware

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclo...

This trains people that do a lot of piracy to be used to turning off their antivirus to let something through, which is fine until it's not. It's like drugs, if we know a subset of the population will do them no matter what, we should make it safe for them to the extent we can. False positives, causing people to ignore actual positives, creates a market for these things.

userbinator2 days ago
Many years ago, even a "Hello World" binary that wasn't compiled by MSVC but by a GNU toolchain was detected as "suspicious" or "potentially unwanted", and in some cases automatically deleted. MS clearly has a different definition of "malware" than many people, and while it may overlap with a majority opinion (e.g. viruses and worms), where its opinion differs is used to push an agenda.
Gigachad2 days ago
Software is the one thing I won't pirate since the risk of installing malware is extremely high. For media files, unless you are incredibly unlucky and someone is exploiting a bug in the media player, you are entirely safe. But for software you have no way of knowing how the software has been tampered with, and often there actually is malware in it.
ziml771 day ago
Same. I used to pirate software but even way back I kept it limited to very popular software and established downloads (where if they were malware they were almost certain to be in a signature database by that point). And I absolutely never pirated an OS. I thought anyone doing that was out of their freaking mind because any malware there had ultimate access to block its own detection and do whatever else it pleased.

Now I don't do it at all. It's not worth the risk when I have the money to pay for the proprietary software that I like and when the ecosystem of open source software is very good.

ls6122 days ago
I mean this is by design? It makes pirates more likely to get malware, and thus normal people more likely to pay for MS products rather than pirate? You may think its immoral but the incentives line up.
pshirshov3 days ago
But sorta possible to solve with source-based distribution and totally possible to solve with pure reproducible builds.
gertop3 days ago
It's entirely possible to ship malware in source form... Just look at the numerous supply chain attacks. Nix is a cute project but entirely irrelevant here.
miniBill3 days ago
It is possible but visible, and it means burning an identity, so it's not irrelevant
daveguy3 days ago
What systems have pure reproducible builds? Does Nix? Any others? From what I understand, it is a very difficult problem.
pshirshov3 days ago
https://stal-ix.github.io/ and Guix, but the definitions of purity are different for them.

Yes, a very difficult problem, compilers must be pure functions with thin effectful wrappers.

eviks3 days ago
If only there were a great Windows app store or a package manager to help with the impossible...
jl63 days ago
To our new generation of human shields willing to use software releases less than a month old, we salute your sacrifice.
xandrius3 days ago
Not fair take, cpuz and hwmonitor are often used on new installations of PCs (or at least for me) to verify hw specs and stuff. Or when I need to do some upgrade work for a desktop computer.

I just go to the trusted site, download what's there and get going. This is not an npm package that a dev is updating on day 0 of its release for being a "human shield", it's literally the first version which comes up when DLing the new software.

saltcured3 days ago
Seems like the kind of thing to just have on a bootable thumb drive, to inspect any machine without requiring installation on the fly.

In fact, I think I used to use memtest86+ this way as it is a baked in boot option on Fedora bootable ISO images. (Or at least was in the past, I haven't checked this recently.)

avazhi3 days ago
CPU-Z gets updated to recognise new CPUs and memory configs and thus must be downloaded new to recognise the new hardware in a new machine (otherwise it can’t recognise it properly). With Memtest sure but CPU-Z is something you actually need the latest version of when you first fire up a new PC.
mikestorrent3 days ago
Is there a tool out there that you can put software releases into and it will tell you how safe it is? I don't seem to be able to buy anything to do this. Crowdstrike and other modern antivirus may react to it once it's on a device, SAST / SCA tooling will help with CVEs, but there's nothing I can give my users where they can put in some piece of random software and get a reputation metric out the other side, is there?
vladvasiliu3 days ago
> put in some piece of random software and get a reputation metric out the other side

Well, the enterprise version of ms defender will not only react to it if it does something "weird", but will specifically look at its "reputation" before it runs at all.

However, as another commenter pointed out, this generates a ton of false positives. Basically everything that's "brand new" is liable to trigger it. Think your freshly compiled hellow_world.exe. So, all in all, people may no longer pay attention to it and just click through all warnings.

tranceylc3 days ago
Worked on a minecraft clone on steam that would falsely get flagged by defender as a “bitcoin miner” for YEARS.
__natty__3 days ago
Not exactly for software (although there is such section) but I use end of life [0] website. Besides time when certain software will be outdated it also tells you their release time.

[0] https://endoflife.date/

Foobar85683 days ago
Beside Virus Total, I am unsure https://www.virustotal.com/
mikestorrent3 days ago
Thanks, that's helpful
JohnTHaller1 day ago
I run software downloads through VirusTotal before installing or using. And I scan all releases I make on PortableApps.com through it as well. (Except those that are bigger than the max size in which case those get scanned with Defender, ClamAV, and at least one commercial Windows antivirus.)
seanw4443 days ago
You could put it into an LLM, since that's what we do for everything else nowadays.
layer83 days ago
I’m not one to chase the new and shiny, but how do you know a nominally months-old software package isn’t a newly compromised version at the time you download it?
ndriscoll3 days ago
I don't know about other managers, but nixpkgs has hashes of the package I'm installing, and is a git repo, so I can easily detect a history rewrite, and I have the full history of package changes over time. Since it's a git repo, I can also easily install things as of a given time.
djhn1 day ago
You probably know this, but a note for the benefit of people who don’t. The entire git history, including metadata, can be modified. Unless you have an independent offline remote to compare to, this method is not 100% guaranteed to detect tampering in all cases, for example if the nixpkgs repo is compromised (or your machines’ connection to your git forge is being MITM’d)
herecomesthepre3 days ago
Windows has this thing called digital signing with certificates that Linux users like to pretend doesn't exist or in the case of yesterday's Wireguard / VeraCrypt discussion, think it's an evil capitalist scheme to control the world.

Digital signing on Windows predates Mac developer certificates by years but arguably wasn't widely used outside of security-paranoid organizations.

Before someone says Linux offers GPG signing it's mostly useless without a central PKI. Developers offer the public key for download on the same server as the software. If someone uploaded compromised software, surely they would replace the key with their own.

BenjiWiebe3 days ago
Linux package managers (the normal way to install software) use signed packages.

I don't know how easy/hard it would be to compromise that.

steve19772 days ago
> Before someone says Linux offers GPG signing it's mostly useless without a central PKI

One could also argue that GPG signing is useful exactly because it doesn't rely on a central PKI.

badsectoracula3 days ago
> Windows has this thing called digital signing with certificates that Linux users like to pretend doesn't exist

...or, much more likely, any potential benefits are not worth the negatives.

leptons3 days ago
I hope you don't think that waiting a month will protect you. Malicious software can wait to be triggered months or years before anything malicious happens.
BenjiWiebe3 days ago
It helps. If I were a malware/backdoor author, I have the choice to make it lie idle for a couple months; this would help me get more victims, BUT it gives more time for someone to notice it BEFORE I get any victims at all.

Whereas if it is active immediately, I'm likely to get at least a few victims.

sourcegrift3 days ago
Thanks the web that produced css programmers who have been taught latest is greatest and shiny gets money.
leptons3 days ago
"new, shiny" has never been a problem with CSS. Either browsers support some CSS attribute or they don't.

You're probably thinking about Javascript programmers.

cachius3 days ago
It's HWMonitor https://www.cpuid.com/softwares/hwmonitor.html and not HWInfo https://www.hwinfo.com/

So two programs from CPUID. I wonder if there are more affected.

Same topic on Reddit at https://news.ycombinator.com/item?id=47718830 @dang

kyrra3 days ago
For windows users, this is an advantage of using `winget` for installing things. It points to the installer hosted elsewhere, but it at least does a signature check. The config for the latest installer is listed here: https://github.com/microsoft/winget-pkgs/blob/master/manifes...

which you can install with:

   winget install --exact --id CPUID.CPU-Z
(there is a --version flag where you can specify "2.19", which the signature there is a month old, so it should be safe to install that way)
fuzzy23 days ago
No, WinGet does not generally protect against this. While PRs to update package versions are verified in some way before going live, the necessary throughput can only be achieved with shallow checks. A determined actor could easily get a malicious update in, once they control the original source.

Other than that, WinGet is mostly just "run setup.exe". It is not a package manager. It's basically MajorGeeks as a mediocre CLI.

briHass2 days ago
Nonsense. WinGet has the ability to add repositories, just like any other package manager. If you want the 'approved' packages for the distro, that would be the msstore repository. If you want to use the 'community feed', which WinGet warns you about the first time you use it, it's less vetted, but still goes through Defender scans and community moderators.

If you go adding any old repo to APT, you have the same risk. You should look at how much code review goes into packages for major distros like Debian, hint, not much, especially once the initial package was accepted.

eviks3 days ago
This manifest only shows sha checks, which wouldn't help if the manifest is updated during the site compromise. How does it do the signature check?
actionfromafar3 days ago
Presumably the manifest is in github and won't auto-update when something on the CPU-Z website changes?
eviks3 days ago
What do you mean, how would it get the new version name/hash if not following the changes on the website?
hypeatei3 days ago
Package managers also saved people from the Notepad++ hijack that was disclosed a couple months ago.

I think devs should avoid distributing their software on first party sites unless they're willing to dedicate a bunch of time to making sure all the infra is secure. Not a lot of people verify signatures, but it's also good to have your PKI in order (signing keys should be available on multiple channels)

ww5203 days ago
Yes. Winget is getting better support on Windows apps. The other day I tried to download the latest version of ImageMagick but all the links on the official site were bad. I tried Winget and it had it!
orthogonal_cube3 days ago
Seems the installers hosted by them are fine. The links on the site have been changed to direct people towards Cloudflare R2 storage with various copies of malicious executables.

Looking forward to information down the line on how this came about.

1970-01-013 days ago
Not exactly a supply chain compromise, as devs should be smart enough to update via a package manager such as winget and chocolatey, but it certainly fits for a watering hole attack.
Terr_3 days ago
I suppose one could view it as a supply-chain compromise of an alternate chain that's very short.
cachius3 days ago
This is bad. I like to install software with winget. Are the versions there also compromised?

v1.63 updated 6 days ago https://github.com/microsoft/winget-pkgs/tree/master/manifes... via https://winstall.app/apps/CPUID.HWMonitor

v2.19 updated 15 days ago https://github.com/microsoft/winget-pkgs/tree/master/manifes... via https://winstall.app/apps/CPUID.CPU-Z

_slih3 days ago
same threat group hit filezilla last month with a fake domain. this time they didn't even need a fake domain, they compromised the real one's api layer. the attack is evolving from 'trick users into visiting the wrong site' to 'make the right site serve the wrong file.'
turpentine2 days ago
FileZilla has had a history of intentionally bunding adware/spyware, so aren't they the threat to begin with?

https://en.wikipedia.org/wiki/FileZilla#Bundled_adware_issue...

amatecha3 days ago
some good details here https://xcancel.com/vxunderground/status/2042483067655262461
BoredPositron3 days ago
"Bug fixes and general improvements."

Supply chain attacks are easier because changelogs for most software are useless now if they are provided at all.

ziml771 day ago
"Fix for a critical issue when querying the CPU that could lead to data corruption in other processes executing at the same time"

Or, "hey ChatGPT generate me a changelog for updates and fixes I could make to the software CPU-Z"

Expecting a more detailed changelog doesn't help at all

(I'm not even sure you'd need to prompt an LLM around guardrails like I did here, it would probably happily spit out a fake changelog even if you were explicit about it not being real as long as you don't tell the LLM you're planning to trick people with malware)

linzhangrun1 day ago
"Fixed known issues"
unethical_ban3 days ago
I've wondered about this while using CachyOS and their package installer. I don't know what repos do what, I don't really understand the security model of the AUR, and I wonder, if I download a package, how can I know it's legitimate or otherwise by some trusted user of the community vs. some random person?
cephi3 days ago
To provide some quick information (I implore others to correct me here):

- CachyOS packages should be coming from known, trusted CachyOS and Arch Linux maintainers. There is still potential for them or their original packages to get compromised (See XZ backdoor) however they are pulling source code from trusted sources so you can generally trust these as much as your trust the OS itself.

- AUR packages are a complete wild west. AUR packages are defined by PKGBUILD files and I highly recommend learning how to read PKGBUILDs and always reading them before installation and re-reading them when they are updated. PKGBUILDs for AUR packages can be treated as untrusted shell scripts and to a certain extent an arbitrary actor can make and upload any PKGBUILD to the AUR. Feel free to use them, but make sure A) they are downloading from trusted sources like the original git repo and B) they are running commands that are expected.

EDIT: Improved accuracy.

Advertisement
wang_li3 days ago
Jesus. I see that post and comment section and I immediately expect to hear Joey telling me about how this ATM is Idaho started spraying cash after his hack of the Gibson. That is a real-life reproduction of the perception of hackers in films in the '90s.
vntok3 days ago
From the thread:

> Q: Why the heck did you hyperlink [the malware installer]?

> A: If someone reads this and they still click the download then they kind of deserve the virus tbh

daneel_w3 days ago
And CSI: Miami, which kept the vibe alive through the 2000s and "educated the masses" on how IT works. Beep boop, I'm in.
vntok3 days ago
The counter-hacker double-keyboarding sequence was inspiring.
Barbing2 days ago
wow https://youtube.com/watch?v=kl6rsi7BEtk
metalliqaz3 days ago
someone has some l33t sk1llz
ASalazarMX3 days ago
Just my luck that I needed and downloaded CPU-Z yesterday at work, after not needing it for years. Fortunately my download is not detected as malicious by Virustotal, but what a scare.
moomoo113 days ago
One interesting thing about all this stuff is that we may see a big swing towards paid/trusted solutions for all these type of things.

Maybe the 5-10% of true nerds will go find the l33t open source solutions, but most people will just use some paid solution.

Maybe Steam could build. Or in Windows. Or some SaaS solution for registry.

In exchange you just share your HW info

linzhangrun1 day ago
Paid plans aren't necessarily safer than free plans
userbinator2 days ago
If one were conspiratorially-minded, one would even be inclined to believe that these were deliberately done to push us towards that authoritarian dystopia of "trusted computing".
VimEscapeArtist3 days ago
Wait, people still download unsigned exes from PHP-era websites in 2026? And then act surprised when the download link starts pointing to malware?

At this point if your software isn't distributed through a repo with verifiable builds, you're basically running a malware lottery for your users. The only question is when, not if.

CPUID got lucky it was only 6 hours. Imagine if the attackers had better taste in filenames than "HWiNFO_Monitor_Setup.exe" lmao

mjmas2 days ago
> PHP-era

PHP-era is still today

Leomuck2 days ago
Is anything not potentially compromised these days? Wow.
cachius3 days ago
Grok post linking further sources: https://x.com/i/grok/share/3b870ceb9b424c01bf89afbe0de3bd81