Discussion

CPUID site hijacked to serve malware instead of HWMonitor downloads

kyrra: For windows users, this is an advantage of using `winget` for installing things. It points to the installer hosted elsewhere, but it at least does a signature check. The config for the latest installer is listed here: https://github.com/microsoft/winget-pkgs/blob/master/manifes...which you can install with: winget install --exact --id CPUID.CPU-Z (there is a --version flag where you can specify "2.19", which the signature there is a month old, so it should be safe to install that way)

hypeatei: Package managers also saved people from the Notepad++ hijack that was disclosed a couple months ago.I think devs should avoid distributing their software on first party sites unless they're willing to dedicate a bunch of time to making sure all the infra is secure. Not a lot of people verify signatures, but it's also good to have your PKI in order (signing keys should be available on multiple channels)

jl6: To our new generation of human shields willing to use software releases less than a month old, we salute your sacrifice.

mikestorrent: Is there a tool out there that you can put software releases into and it will tell you how safe it is? I don't seem to be able to buy anything to do this. Crowdstrike and other modern antivirus may react to it once it's on a device, SAST / SCA tooling will help with CVEs, but there's nothing I can give my users where they can put in some piece of random software and get a reputation metric out the other side, is there?

quantummagic: > after the download my Windows Defender instantly detecting a virus.> (because i am often working with programms which triggering the defender i just ignored that)This again shows the unfortunate corrosive effect of false-positives. Probably impossible to solve while aggressively detecting viruses though.

pshirshov: But sorta possible to solve with source-based distribution and totally possible to solve with pure reproducible builds.

daveguy: What systems have pure reproducible builds? Does Nix? Any others?

BoredPositron: "Bug fixes and general improvements."Supply chain attacks are easier because changelogs for most software are useless now if they are provided at all.

eviks: If only there were a great Windows app store or a package manager to help with the impossible...

eviks: This manifest only shows sha checks, which wouldn't help if the manifest is updated during the site compromise. How does it do the signature check?

actionfromafar: Presumably the manifest is in github and won't auto-update when something on the CPU-Z website changes?

Foobar8568: Beside Virus Total, I am unsure https://www.virustotal.com/

magicalhippo: After my Wordpress site got hacked way back through an exploit in one of the WP files, I set up a cron job that compared the hash of the static files with expected hash, and would fire off an email if they differed.The script lived above the web root, so they'd have to escape that to tamper with it, and was generated by another script.Saved me a couple of times since, well worth the 15 minutes I spent on setting it up.

embedding-shape: > Saved me a couple of times sinceWait, how often does your Wordpress site get successfully hacked like that?

magicalhippo: Keep in mind the first time was about 20 years ago.One time the hosting provider got compromised, FTP server exploit IIRC.

seanw444: You could put it into an LLM, since that's what we do for everything else nowadays.

michaelt: Back in the 1990s, there was a tool called ‘tripwire’ that checked key files against expected checksums.As I recall, they recommended putting the expected values on a floppy disk and setting the ‘write protect’ tab, so the checksums couldn’t be changed.

gertop: It's entirely possible to ship malware in source form... Just look at the numerous supply chain attacks. Nix is a cute project but entirely irrelevant here.

orthogonal_cube: Seems the installers hosted by them are fine. The links on the site have been changed to direct people towards Cloudflare R2 storage with various copies of malicious executables.Looking forward to information down the line on how this came about.

1970-01-01: Not exactly a supply chain compromise, as devs should be smart enough to update via a package manager such as winget and chocolatey, but it certainly fits for a watering hole attack.

Terr_: One could view it as a supply-chain compromise of an alternate chain that's very short.

cwizou: For what it's worth - I used to write CPU reviews a while back - I can vouch for both Sam and Franck. Franck is the guy behind CPUID and Sam is a close friend of his, who was known for working at Canard PC on top of his work on Memtest : https://x86.fr/about-me/

FuriouslyAdrift: tripwire was the orginal file integrity anti-virus/anti-tampering software from the security group (which turned into CERIAS) at Purdue led by Dr. Eugene "Spaff" Spafford.https://docs.lib.purdue.edu/cstech/1084/

sourcegrift: Thanks the web that produced css programmers who have been taught latest is greatest and shiny gets money.

leptons: "new, shiny" has never been a problem with CSS. Either browsers support some CSS attribute or they don't.You're probably thinking about Javascript programmers.