some comments purportedly (i did not verify) from one of the maintainers:
>Dear All, I'm Sam and in I'm working with Franck on CPU-Z (I'm doing the validator). Franck is unfortunately OOO for a couple weeks. I'm just out of bed after worked on Memtest86+ for most the night, so I'm doing my best to check everything. As very first checks, the file on our server looks fine (https://www.virustotal.com/gui/file/6c8faba4768754c3364e7c40...) and the server doesn't seems compromised. I'm investigating further... If anyone can tell me the exact link to the page where the malware was downloaded, that would help a lot
>Thank you. I found the biggest breach, restored the links and put everything in read-only until more investigation is done. Seems they waited Franck was off and I get to bad after working on Memtest86+ yesterday :-/
>The links have been compromised for a bit more than 6 hours between 09/04 and 10/04 GMT :-/
so, it appears that the cpuid website was compromised, with links leading to fake installers.
BoredPositron 41 minutes ago [-]
It's the third time that I've read something about availability notifications on discord and other chats getting abused for timed attacks in the last few weeks.
jl6 24 minutes ago [-]
To our new generation of human shields willing to use software releases less than a month old, we salute your sacrifice.
quantummagic 32 minutes ago [-]
> after the download my Windows Defender instantly detecting a virus.
> (because i am often working with programms which triggering the defender i just ignored that)
This again shows the unfortunate corrosive effect of false-positives. Probably impossible to solve while aggressively detecting viruses though.
pshirshov 2 minutes ago [-]
But sorta possible to solve with source-based distribution and totally possible to solve with pure reproducible builds.
kyrra 35 minutes ago [-]
For windows users, this is an advantage of using `winget` for installing things. It points to the installer hosted elsewhere, but it at least does a signature check. The config for the latest installer is listed here: https://github.com/microsoft/winget-pkgs/blob/master/manifes...
which you can install with:
winget install --exact --id CPUID.CPU-Z
(there is a --version flag where you can specify "2.19", which the signature there is a month old, so it should be safe to install that way)
eviks 9 minutes ago [-]
This manifest only shows sha checks, which wouldn't help if the manifest is updated during the site compromise. How does it do the signature check?
hypeatei 47 seconds ago [-]
Package managers also saved people from the Notepad++ hijack that was disclosed a couple months ago.
ww520 13 minutes ago [-]
Yes. Winget is getting better support on Windows apps. The other day I tried to download the latest version of ImageMagick but all the links on the official site were bad. I tried Winget and it had it!
orthogonal_cube 1 hours ago [-]
Seems the installers hosted by them are fine. The links on the site have been changed to direct people towards Cloudflare R2 storage with various copies of malicious executables.
Looking forward to information down the line on how this came about.
same threat group hit filezilla last month with a fake domain. this time they didn't even need a fake domain, they compromised the real one's api layer. the attack is evolving from 'trick users into visiting the wrong site' to 'make the right site serve the wrong file.'
same threat group hit filezilla last month. they're specifically targeting utilities that tech-savvy users trust and download from official sources. the attack surface is the the api layer that generates download links, not the binary itself
unethical_ban 30 minutes ago [-]
I've wondered about this while using CachyOS and their package installer. I don't know what repos do what, I don't really understand the security model of the AUR, and I wonder, if I download a package, how can I know it's legitimate or otherwise by some trusted user of the community vs. some random person?
cephi 15 minutes ago [-]
To provide some quick information (I implore others to correct me here):
- CachyOS packages should be coming from known, trusted CachyOS and Arch Linux maintainers. There is still potential for them or their original packages to get compromised (See XZ backdoor) however they are pulling source code from trusted sources so you can generally trust these as much as your trust the OS itself.
- AUR packages are a complete wild west. AUR packages are defined by PKGBUILD files and I highly recommend learning how to read PKGBUILDs and always reading them before installation and re-reading them when they are updated. PKGBUILDs can be treated as untrusted shell scripts and to a certain extent an arbitrary actor can make and upload any PKGBUILD. Feel free to use them, but make sure A) they are downloading from trusted sources like the original git repo and B) they are running commands that are expected.
wang_li 1 hours ago [-]
Jesus. I see that post and comment section and I immediately expect to hear Joey telling me about how this ATM is Idaho started spraying cash after his hack of the Gibson. That is a real-life reproduction of the perception of hackers in films in the '90s.
vntok 57 minutes ago [-]
From the thread:
> Q: Why the heck did you hyperlink [the malware installer]?
> A: If someone reads this and they still click the download then they kind of deserve the virus tbh
>Dear All, I'm Sam and in I'm working with Franck on CPU-Z (I'm doing the validator). Franck is unfortunately OOO for a couple weeks. I'm just out of bed after worked on Memtest86+ for most the night, so I'm doing my best to check everything. As very first checks, the file on our server looks fine (https://www.virustotal.com/gui/file/6c8faba4768754c3364e7c40...) and the server doesn't seems compromised. I'm investigating further... If anyone can tell me the exact link to the page where the malware was downloaded, that would help a lot
>Thank you. I found the biggest breach, restored the links and put everything in read-only until more investigation is done. Seems they waited Franck was off and I get to bad after working on Memtest86+ yesterday :-/
>The links have been compromised for a bit more than 6 hours between 09/04 and 10/04 GMT :-/
so, it appears that the cpuid website was compromised, with links leading to fake installers.
> (because i am often working with programms which triggering the defender i just ignored that)
This again shows the unfortunate corrosive effect of false-positives. Probably impossible to solve while aggressively detecting viruses though.
which you can install with:
(there is a --version flag where you can specify "2.19", which the signature there is a month old, so it should be safe to install that way)Looking forward to information down the line on how this came about.
So two programs from CPUID. I wonder if there are more affected.
Same topic on Reddit at https://news.ycombinator.com/item?id=47718830 @dang
v1.63 updated 6 days ago https://github.com/microsoft/winget-pkgs/tree/master/manifes... via https://winstall.app/apps/CPUID.HWMonitor
v2.19 updated 15 days ago https://github.com/microsoft/winget-pkgs/tree/master/manifes... via https://winstall.app/apps/CPUID.CPU-Z
- CachyOS packages should be coming from known, trusted CachyOS and Arch Linux maintainers. There is still potential for them or their original packages to get compromised (See XZ backdoor) however they are pulling source code from trusted sources so you can generally trust these as much as your trust the OS itself.
- AUR packages are a complete wild west. AUR packages are defined by PKGBUILD files and I highly recommend learning how to read PKGBUILDs and always reading them before installation and re-reading them when they are updated. PKGBUILDs can be treated as untrusted shell scripts and to a certain extent an arbitrary actor can make and upload any PKGBUILD. Feel free to use them, but make sure A) they are downloading from trusted sources like the original git repo and B) they are running commands that are expected.
> Q: Why the heck did you hyperlink [the malware installer]?
> A: If someone reads this and they still click the download then they kind of deserve the virus tbh
While we're at X, Grok also researched the topic: https://x.com/i/grok/share/3b870ceb9b424c01bf89afbe0de3bd81