First Axios, Now CPUID: Supply Chain Attacks Are Coming for Everyone

Holaaaaaa!! 👋

So remember that blog post I wrote about the axios npm hack? The one where I nearly got hit by a RAT through a package I've trusted for years? Yeah. It happened again. But this time, the target isn't developers—it's gamers, PC builders, and tech enthusiasts.

And honestly? I'm not even surprised anymore. But I am tired.

The Personal Angle

Let me start with why this one hits different. CPU-Z and HWMonitor are tools I've had installed on my Windows gaming PC for months. CPU-Z tells me exactly what's inside my rig—down to the specific RAM timings and CPU stepping that Windows Settings just doesn't bother showing you. HWMonitor? That's my go-to for keeping an eye on temperatures and voltages while I'm gaming or benchmarking.

When you're running 3 RTX 3060s across a Proxmox cluster, you kind of develop a habit of checking thermals obsessively. These tools are as routine as checking your phone after waking up. You install them once, you trust them, and you never think about them again.

And that's exactly what made them such a perfect target.

Unlike axios—which gets pulled and executed every single time you run npm install—CPU-Z and HWMonitor are install-once utilities. You download them, you run them, and they sit there quietly doing their job. No auto-updates, no package managers fetching fresh copies, no postinstall hooks silently executing code.

Which also means: I wasn't affected by this attack. I installed my copies months ago, long before the breach happened. But for anyone who happened to visit cpuid.com between April 9 and April 10? Different story entirely.

What Actually Happened

On April 9, 2026, attackers compromised the CPUID website (cpuid.com)—the official home of CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor. According to Kaspersky, the breach lasted approximately 19 hours, from April 9 at 15:00 UTC until April 10 at around 10:00 UTC.

Here's how it went down:

The attackers didn't compromise CPUID's signed original files. Instead, they breached what CPUID described as a "secondary feature (basically a side API)" and used it to swap the download URLs on the official website. Clicking the download button didn't hand you the real installer—it redirected you to one of four malicious domains:

cahayailmukreatif.web[.]id
pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev (Cloudflare R2 storage)
transitopalermo[.]com
vatrobran[.]hr

And the timing? CPUID confirmed the attackers hit them while the main developer was away on holiday. The comments on BleepingComputer noted that holidays like Easter are prime time for this kind of operation—everyone's away, nobody's watching.

The affected software versions:

CPU-Z version 2.19
HWMonitor version 1.63
HWMonitor Pro version 1.57
PerfMonitor version 2.04

Users on Reddit's r/pcmasterrace were the first to raise the alarm. They noticed the download was handing them a file named HWiNFO_Monitor_Setup.exe instead of the expected hwmonitor_1.63.exe—complete with a Russian-language installer dialog and an unusual Inno Setup wrapper. The fake installer was even named to cause confusion by mixing two well-known monitoring brands: HWMonitor and HWiNFO.

Clever. And terrifying.

How the Attack Worked

The trojanized software was distributed both as ZIP archives and standalone installers. Each one contained a legitimate, signed executable for the corresponding CPUID product—plus one malicious file: CRYPTBASE.dll.

This is a technique called DLL Sideloading. Windows has a known behavior where it loads DLLs from the application's own directory before checking the system folder. The attackers placed their malicious CRYPTBASE.dll right next to the real executable, so Windows would load it automatically when you launched CPU-Z or HWMonitor. The legitimate program runs fine. The malware runs alongside it, completely invisible.

The malicious DLL then:

Performs anti-sandbox checks — scans for VirtualBox, VMware, and QEMU artifacts in the registry, filesystem, and running processes. If it detects a virtual machine, it "jitter exits" (sleeps with randomized delay and terminates).
Connects to the C2 server — reaches out to welcome.supp0v3[.]com for instructions and further payload execution.
Deploys the final payload through a multi-stage loader that includes a huge array of MAC addresses converted to byte values, forming the next stage payload.

Here's where it gets interesting. Kaspersky noted that the attackers reused the exact same C2 address and connection configuration from a campaign in March 2026, where a fake FileZilla site distributed trojanized FTP client installers. The embedded configuration even contained a "referrer" field set to "cpz"—shorthand for CPU-Z:

{
  "hello": {
    "tag": "tbs",
    "referrer": "cpz",
    "callback": "https://welcome.supp0v3[.]com/d/callback"
  }
}

Kaspersky called this a "copy-pasted attack" and noted that the threat actor's "overall malware development/deployment and operational security capabilities... is quite low." They reused known indicators of compromise from the FileZilla campaign, which made detection almost immediate.

But here's the thing: sloppy operators with working malware are still dangerous. They don't need to be sophisticated when the targets are everyday users clicking "Download" on an official website.

What STX RAT Can Do

The final payload delivered by this attack chain is STX RAT—a relatively new remote access trojan documented by eSentire's Threat Response Unit in early April 2026. It's named after the Start of Text (\x02) magic byte it prefixes to all C2 messages.

This isn't some amateur tool. Despite the sloppy deployment, STX RAT itself is surprisingly capable:

Infostealer Capabilities

Browser credentials and cookies — harvests saved passwords and session cookies from web browsers
Crypto wallet data — targets cryptocurrency wallet files
FTP client credentials — steals saved FTP login information (ironic, given the FileZilla connection)
Potential Application-Bound Encryption (ABE) bypass — eSentire found indicators suggesting it may attempt to bypass Chrome's ABE, though this feature may not yet be fully functional

Remote Control

HVNC (Hidden Virtual Network Computing) — allows threat actors to control your machine via a hidden desktop that you can't see on your screen. They can move your mouse, type on your keyboard, and interact with your desktop—all invisibly
Fileless PowerShell execution — can execute PowerShell payloads in memory via hijacked pipes, using powershell.exe -Command "[Console]::In.ReadToEnd() | Invoke-Expression" to avoid leaving traces on disk
Reverse proxy/tunneling — opens sockets for C2-specified hosts and tunnels data through them

Evasion Techniques

AMSI Ghosting — patches rpcrt4!NdrClientCall3 to disable the Anti-Malware Scan Interface, effectively blinding security solutions to what the malware is doing
API Hashing — resolves Windows APIs using salted SHA-1 hashes instead of plaintext imports, making static analysis painful
String Obfuscation — uses rolling XOR with variable start keys AND AES-128-CTR encrypted strings that are decrypted on demand and immediately deleted from memory
Anti-VM — scans for a massive list of VirtualBox, VMware, and QEMU artifacts (registry keys, files, services, drivers)

Encrypted C2 Communication

The C2 channel is cryptographically solid:

X25519 ECDH key exchange derives a per-session shared secret
Ed25519 signature verification ensures the C2 server is authentic (preventing researchers from spoofing it)
ChaCha20-Poly1305 encrypts and integrity-protects all session traffic
Supports both clearweb and Tor as fallback communication channels

It also takes a screenshot of your desktop immediately after connecting to the C2 and sends it back as a base64-encoded JPG. So the attacker knows exactly what's on your screen from the moment of infection.

According to The Hacker News, Kaspersky identified more than 150 victims, mostly individuals. But several organizations in retail, manufacturing, consulting, telecommunications, and agriculture were also hit—with most infections in Brazil, Russia, and China.

Deja Vu: Axios vs CPUID — Two Supply Chain Attacks in One Month

If you read my axios blog post, this should feel uncomfortably familiar. Let me draw the parallels:

	Axios (April 1)	CPUID (April 9-10)
Target	Developers (183M weekly npm downloads)	Gamers & tech enthusiasts (millions of users)
Attack vector	Compromised maintainer credentials, poisoned npm versions	Compromised side API, swapped download URLs
Delivery mechanism	`postinstall` hook in `plain-crypto-js` dependency	DLL Sideloading via `CRYPTBASE.dll`
Final payload	WAVESHAPER.V2 RAT	STX RAT
Attribution	UNC1069 (North Korea-nexus)	Unknown (same actor as FileZilla campaign)
Detection	Windows Defender caught it mid-execution	Reddit users noticed wrong filenames and Russian dialogs
My exposure	Encountered it in TESTCODER, Defender blocked it	Not affected (installed months before the breach)

Two completely different ecosystems—npm packages vs desktop utilities—but the same fundamental playbook: abuse inherent trust in the distribution chain.

With axios, developers trust that npm install gives them the real package. With CPUID, users trust that clicking "Download" on the official website gives them the real installer. That trust is exactly what threat actors exploit.

And let's zoom out for a second. This is the same pattern we've been seeing all year:

Fake 7-Zip site (February 2026) — trojanized installer turns PCs into proxy nodes
Notepad++ supply chain attack — compromised update mechanism delivers backdoor via DLL sideloading
Fake FileZilla site (March 2026) — lookalike domain distributes trojanized FTP client with version.dll sideloading
Axios npm compromise (April 1, 2026) — poisoned package versions drop WAVESHAPER.V2 RAT
CPUID breach (April 9-10, 2026) — official website redirects to trojanized installers dropping STX RAT

Same RAT. Same DLL sideloading technique. Same C2 infrastructure reused. The CPUID attack even used the same welcome.supp0v3[.]com C2 domain that the FileZilla campaign used a month earlier.

What a April, by the way. It's been scorching hot here in the Philippines. Gas prices and RAM prices both soaring to levels we've never seen. AI-related layoffs have never been higher in numbers—which makes my job hunting significantly harder than it already was. And TWO major supply chain attacks in the same month? What a April.

Am I Affected?

If you downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor from cpuid.com between April 9 (15:00 UTC) and April 10 (10:00 UTC), you may have received a trojanized copy.

Check for these indicators:

Affected versions:

CPU-Z version 2.19
HWMonitor version 1.63
HWMonitor Pro version 1.57
PerfMonitor version 2.04

File indicators:

The presence of CRYPTBASE.dll in the installation directory alongside the legitimate executable. A clean CPUID installation should NOT have this file.
A file named HWiNFO_Monitor_Setup.exe instead of the expected hwmonitor_1.63.exe

Network indicators:

C2 Domain: welcome.supp0v3[.]com
C2 IP: 95.216.51[.]236 (port 31415)
Malicious download domains: cahayailmukreatif.web[.]id, pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev, transitopalermo[.]com, vatrobran[.]hr

Malicious file hashes (SHA-256) per Kaspersky:

d0568eaa55f495fd756fa205997ae8d93588d2a2 — cpu-z_2.19-en.zip
02a53d660332c25af623bbb7df57c2aad1b0b91b — hwinfo_monitor_setup.exe
9253111b359c610b5f95ef33c2d1c06795ab01e9 — HWMonitorPro_1.57_Setup.exe
7c615ce495ac5be1b64604a7c145347adbcd900c — hwmonitor_1.63.zip
8351a43a0c0455e4b0793d841fe12625f072f9b4 — PerfMonitor2_Set.exe

For the full list of IoCs including all malicious DLL hashes, check Kaspersky's Securelist report.

What You Should Do Right Now

1. Verify Your Download Source

Only download CPUID software from the official cpuid.com website. Check the URL carefully. After the breach was fixed, the site now serves clean versions—but verify, don't assume.

2. Check for CRYPTBASE.dll

If you downloaded any CPUID software recently, check the installation directory. A legitimate CPUID installation does NOT ship with CRYPTBASE.dll in the application folder. If it's there, treat the system as compromised.

3. Don't Trust "It's Been Removed" News

This is the one I want to hammer home, because I learned this the hard way with axios.

When news breaks that the malicious versions have been taken down, that doesn't mean you're safe. With the axios attack, news reports said the bad versions were already removed from npm—but I was still able to encounter the infected version on my end. Why? Because different mirrors, caches, and CDN propagation times can cause delays. When a package or download is removed from the source, it doesn't instantly disappear from every edge node, cache, and mirror across the internet. If your client pulls from a slower-updating mirror, you might still get poisoned files hours after the takedown.

The same applies here. CPUID's download infrastructure uses Cloudflare R2 storage and multiple distribution paths. Even after CPUID fixed the breach and restored clean download links, trojanized copies could linger on CDN edge nodes or in your browser's local cache.

Assume nothing is safe until you've verified yourself. Hash-verify. Check filenames. Look for extra DLLs. Don't take "it's fixed" at face value.

4. Block C2 Domains at the Network Level

Don't just rely on your machine's antivirus. Block the known C2 endpoints at your network edge:

Add welcome.supp0v3[.]com to your router's blocklist
Sinkhole 95.216.51[.]236 in your Pi-hole or DNS server
Block the four malicious download domains listed above

If you're running Pi-hole (I run three instances—one for home, one configured differently for my Internet Cafe, and another for the Proxmox network), this is trivial. Network-level blocking catches what your machine-level security might miss.

5. Hash-Verify Your Downloads

Compare the SHA-256 hashes of any CPUID software you downloaded recently against the known-good values. Kaspersky provides a comprehensive IoC list in their report. If the hash doesn't match, don't run it. Delete it immediately.

6. Don't Rush to Update

Unlike npm packages that pull fresh versions on every install, standalone tools like CPU-Z and HWMonitor don't need constant updates. If it's working, don't rush to grab the latest version from the website the moment a new release drops—especially right after a breach is disclosed. Wait for the dust to settle. Let the security community verify that the coast is clear.

Final Thoughts

Two supply chain attacks in one month. Two completely different ecosystems. Two different RATs. But the same fundamental lesson: trust is the attack surface.

We trust that npm install axios gives us the real axios. We trust that clicking "Download" on cpuid.com gives us the real CPU-Z. We trust that the package we installed yesterday is the same one available today.

But that trust is exactly what threat actors exploit. And they're getting better at finding high-trust targets—whether it's a package with 183 million weekly downloads or a utility installed on nearly every gamer's PC.

I got lucky twice now. With axios, TESTCODER's isolation and Windows Defender saved me. With CPUID, the simple fact that I installed my copies months ago meant I was never in the blast radius. But not everyone has that setup. Not everyone has isolated dev environments or Pi-hole sinkholes running at the network level.

If there's one thing I want you to take away from both incidents: the convenience of one-click downloads and installs isn't worth the risk of a RAT silently running on your system. Verify before you trust. Block known bad at the network level. And for the love of all that is holy—don't assume "it's been removed" means "you're safe."

Until next time! 🚀