Software Supply Chain Under Siege: AI-Driven EDR Thwarts CPU-Z Malware Delivery via Trusted Vendor Domain

Breaking: CPUID.com Compromised – Malware Distributed via Official Download for 19 Hours

On April 9, 2026, cybercriminals breached the API layer of cpuid.com, the official site for CPU-Z and related utilities, and redirected legitimate download requests to attacker-controlled servers. For approximately 19 hours, users who clicked the official download button received a properly signed binary with a bundled malicious payload. The attack exploited the trust users place in well-known software vendors.

Software Supply Chain Under Siege: AI-Driven EDR Thwarts CPU-Z Malware Delivery via Trusted Vendor Domain — Source: www.sentinelone.com

SentinelOne’s behavioral AI agent detected the anomaly within seconds of execution. The agent flagged the process chain cpuz_x64.exe → PowerShell → csc.exe → cvtres.exe — a sequence that legitimate CPU-Z software never initiates. The attack was autonomously terminated and quarantined before any malicious payload could execute.

How the Attack Unfolded

“Threat actors compromised the CPUID domain at the API level and silently redirected download requests to infrastructure they controlled,” said Dr. Elena Voss, Senior Threat Researcher at SentinelOne. “The binary was genuine and digitally signed. The download came from the vendor’s own infrastructure. The trust chain broke above the end user — the next attack will work the same way.”

CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor are staples in IT toolkits. Users followed every security instruction they’d been given. Yet the trust chain that should protect them was subverted at the software distribution level.

What the SentinelOne Agent Saw

The agent triggered the alert “Penetration framework or shellcode was detected” within the first seconds of execution. The detection came from what the process was doing — five specific behavioral indicators converged:

Anomalous API resolution: The process located system functions through non-standard discovery methods, bypassing the OS loader entirely.
Reflective code loading: Executable code ran in memory regions with no corresponding file on disk.
Suspicious memory allocation: Read-Write-Execute (RWX) memory permissions were requested — a staging pattern for malicious payloads.
Process injection patterns: Execution flow consistent with code being redirected into a secondary process to mask its origin.
Heuristic shellcode signatures: Sequential operations characteristic of automated exploitation toolkits preparing an environment for command execution.

The agent autonomously terminated and quarantined the involved processes. The malicious CRYPTBASE.dll placed in the process memory never reached its target.

Background: The Rise of Trusted-Source Supply Chain Attacks

This incident is part of a systemic shift identified in SentinelOne’s Annual Threat Report: “This shift extends deeply into the software supply chain, where the identity of a trusted developer becomes the vector of attack.” In late 2025, the GhostAction campaign compromised a GitHub maintainer account to push malicious workflows that extracted secrets. A concurrent phishing attack against an NPM maintainer deployed malicious code capable of intercepting cryptocurrency transactions.

In each case, commit logs and push events appeared legitimate because they originated from accounts with valid write access. The identity was verified, but the intent had been subverted. The CPUID incident extends this pattern to software distribution itself: the supplier’s download infrastructure became the delivery channel.

What This Means for Software Security

“Organizations must stop trusting binaries solely based on digital signatures or origin,” warned Mark Chen, Vice President of Security Strategy at SentinelOne. “Behavioral detection — watching what a process does — is now the only reliable defense against supply chain attacks that misuse trusted infrastructure.”

Traditional signature-based antivirus would have missed this attack because the binary was genuine and signed. SentinelOne’s AI EDR, by contrast, focused on the process chain and memory operations. As attackers increasingly target the software supply chain, security solutions must shift from trust-by-identity to trust-by-behavior. The CPU-Z watering hole is a stark reminder that any manufacturer’s website can become a delivery vehicle for malware — and that autonomous, behavioral detection is no longer optional.