How to Spot Malware Hidden in Fake Signed Productivity Apps

A new malware campaign is targeting everyday users by hijacking a trick that normally helps keep software safe: digital signatures. The malware, dubbed TamperedChef, uses stolen or forged code‑signing certificates to make malicious copies of popular productivity apps look completely legitimate. If you use tools like Notion, Slack, Trello, or similar programs, this is worth understanding—not because you should panic, but because the right habits can keep you out of harm’s way.

What Happened

In late May 2026, security researchers reported that TamperedChef malware was being distributed through what appeared to be digitally signed installer files for productivity applications. Code signing is a security feature where a developer attaches a cryptographic certificate to their software to prove it hasn’t been tampered with. Operating systems and antivirus tools tend to trust signed apps more readily. The attackers in this campaign either obtained a stolen certificate or created a deliberately misleading one, then used it to sign modified installers that deliver credential stealers and remote access trojans (RATs).

Once installed, these malicious versions can run in the background, capture passwords, and give attackers remote control of the machine. The initial report came from CyberSecurityNews, and while full technical details are still emerging, the core technique—abusing code signing—is not new, but it is being used with greater sophistication.

Why It Matters to You

For most people, seeing that an app is “signed by a verified publisher” is a green light. It means the file has not been altered since it left the developer. But if the signing certificate itself is fraudulent, that protection is worthless. Any productivity app you might download from a third‑party site, a link in an email, or even a sponsored ad could be a fake that carries this malware.

Security software often trusts signed files automatically, meaning the malware can slip past your defences without a warning. The result: you think you are installing a familiar tool, but you are actually giving away your credentials or opening a backdoor into your system.

What You Can Do Right Now

You do not need to become a security expert to protect yourself. These practical steps will catch most fake signed apps.

1. Check the Digital Signature Before Installing

On Windows:
Before running any installer, right‑click the file and select Properties. Go to the Digital Signatures tab. You will see a list of signers. Click on the name and then click Details. Look at the “Signer Information” – it should match the official company name of the software (e.g., “Slack Technologies, LLC” or “Notion Labs, Inc.”). Also check the “Countersignatures” or timestamp – if it says the signature was added very recently for an old version of the app, that is suspicious.

On macOS:
Right‑click the app and choose Get Info. Look under the General section for a line that says “Signed by” or “Verified”. You can also open Terminal and run codesign -dv /path/to/App.app – it will display the signing authority. A legitimate app will show the developer’s official Apple certificate.

If there is no digital signature tab at all, the file is unsigned—a red flag for any modern productivity app.

2. Only Download from Official Sources

This is the single most effective precaution. Go directly to the developer’s website or use the official app store (Microsoft Store, Mac App Store). Avoid “free download” sites, torrents, and unknown mirrors. Even a site that looks clean can host tampered files.

3. Watch for Unexpected Update Prompts

One common delivery method is a fake update notification inside a legitimate app. If your note‑taking app suddenly asks you to download a critical update by clicking a link, pause. Open the app’s settings menu and look for an “About” or “Check for Updates” section. If the app normally updates itself automatically, a manual download link is unusual.

4. Keep Your Security Software and OS Updated

Many modern antivirus programs now check file reputation beyond just the signature. Keep definitions up to date so that even a signed malicious file can be caught by behavioural monitoring. Also apply OS updates promptly—they often include patches that make it harder to forge certificates.

5. If You Suspect an Infection

If you have already installed an app that you now doubt, disconnect from the internet, run a full scan with your antivirus (or use a reputable second‑opinion scanner like Malwarebytes), and change passwords for your most important accounts from a different device. Consider enabling multi‑factor authentication on accounts that support it—this limits what a stealer can do even if it captures your password.

Long‑Term Habits

Staying safe with productivity apps is not a one‑time checklist. Make a habit of verifying digital signatures only when you download from outside official stores. Trust your security software’s warnings, even if the file looks signed. And remember: if a deal seems too good (like a “free lifetime license” for a paid app), it is almost certainly hiding malware.

No defence is perfect, but these steps will protect you from the vast majority of signed‑malware campaigns, including TamperedChef.

Sources:

CyberSecurityNews, “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs”, 21 May 2026.
General guidance on digital signature verification from Microsoft and Apple support documentation.

How to Spot Malware Hidden in Fake Signed Productivity Apps#

What Happened#

Why It Matters to You#

What You Can Do Right Now#

1. Check the Digital Signature Before Installing#

2. Only Download from Official Sources#

3. Watch for Unexpected Update Prompts#

4. Keep Your Security Software and OS Updated#

5. If You Suspect an Infection#

Long‑Term Habits#