SentinelOne AI Thwarts Major Supply Chain Attack Targeting CPU-Z Utility; Attackers Compromised Official Download Site
SentinelOne's AI EDR autonomously blocked a sophisticated supply chain attack on CPU-Z's official download site, serving malware for 19 hours.
Breaking: Supply Chain Attack on CPU-Z Neutralized by Autonomous AI Defense
April 10, 2026 — SentinelOne’s AI-powered endpoint detection and response (EDR) system autonomously blocked a sophisticated watering-hole attack targeting the CPU-Z utility on April 9. The attack compromised the official download infrastructure of cpuid.com, serving malware through the site’s own download button for approximately 19 hours.
Attack Details
Threat actors breached the CPUID domain at the API level, silently redirecting legitimate download requests to attacker-controlled servers. Users who visited the official site received a properly signed binary with a malicious payload bundled inside. The binary's digital signature was valid, and the download came directly from the vendor’s infrastructure.
SentinelOne’s behavioral detection flagged an anomaly in cpuz_x64.exe execution. The process chain—PowerShell spawning csc.exe and then cvtres.exe—was abnormal for CPU-Z. The agent autonomously terminated and quarantined the involved processes, preventing further damage.
“The trust chain broke above the users,” said a SentinelOne threat analyst. “They followed every instruction—downloaded from the official site, ran a signed binary. The attackers never touched the users’ behavior; they compromised the supplier’s infrastructure.”
Background: Escalating Supply Chain Threats
This incident mirrors a systemic shift identified in SentinelOne’s annual threat report. “The identity of a trusted developer becomes the vector of attack,” notes the report. In late 2025, the GhostAction campaign saw a compromised GitHub maintainer account push malicious workflows to extract secrets. Similarly, a phishing attack against a maintainer of popular NPM packages deployed code capable of intercepting cryptocurrency transactions. In each case, commit logs and push events appeared legitimate because they originated from accounts with valid write access.
The CPUID incident extends this pattern to software distribution: the supplier’s download infrastructure became the delivery channel. CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor are staples in IT toolkits, amplifying the attack’s potential impact.
What This Means
Traditional signature-based defenses would have failed; the binary was genuine. SentinelOne’s behavioral AI detected five converging indicators: anomalous API resolution, reflective code loading, suspicious RWX memory allocation, process injection patterns, and heuristic shellcode signatures. This autonomous response demonstrates that defenses must look beyond file reputation to process behavior.
“The next attack will work the same way,” the analyst emphasized. Organizations must monitor software supply chain integrity and deploy AI-driven behavioral detection to catch threats that exploit trust relationships. The CPU-Z attack is a stark reminder that even verified software from official sources can be weaponized.