New Malware ‘TamperedChef’ Spreads via Signed Apps – Here’s How to Stay Safe

If you’ve ever downloaded a productivity app from anywhere other than an official store or the publisher’s own site, you might want to double-check what’s actually on your machine. A newly reported malware family called TamperedChef is making the rounds by hiding inside signed versions of popular applications like office suites, note‑taking tools, and collaboration software.

Here’s what you need to know about this threat, and – more importantly – how to keep it off your devices.

What Happened?

According to security researchers (first reported by CyberSecurityNews on May 21, 2026), TamperedChef takes advantage of a technique that has historically been hard for antivirus tools to spot: it uses valid digital signatures. Attackers obtain legitimate code‑signing certificates – sometimes by compromising a developer’s account, sometimes by registering as a publisher themselves – and then attach that signature to malware‑laden installers.

The payload found inside these signed packages typically includes an info‑stealer (designed to harvest passwords, cookies, and other credentials) and a remote access trojan (RAT) that gives attackers ongoing control over the infected computer. The malware specifically targets productivity applications because those are widely used in both home and corporate environments, and people tend to trust them without a second thought.

At the time of writing, the exact scope of the campaign is still being assessed. Researchers have observed samples in the wild, but it’s unclear how many users have been affected so far. What is clear is that the use of signed code makes TamperedChef harder to detect than typical unsigned malware.

Why It Matters

Many of us have been taught that a signed application is a safe application. Digital signatures are meant to verify that the software hasn’t been tampered with and that it comes from a legitimate publisher. TamperedChef undermines that trust. If an installer appears to be signed by a known company, your operating system may not flag any warnings, and some antivirus engines may also give it a pass.

Once installed, the malware can:

  • Steal saved passwords from browsers and password managers.
  • Exfiltrate personal files, including documents, photos, and financial records.
  • Install additional payloads or turn your device into part of a botnet.

For professionals, the risk extends to corporate data: a single infected machine can become an entry point for broader network intrusions.

What You Can Do

While the details of TamperedChef are still emerging, the same basic precautions that protect against most signed-malware attacks apply here. Here are five steps you can take right now:

  1. Download only from official sources. Stick to the manufacturer’s website or a well‑known app store (Microsoft Store, Mac App Store, or the official repository for Linux). Third‑party download sites are a common source of tampered installers, even if they look legitimate.

  2. Check the publisher and signature before installing. On Windows, right‑click the installer, select Properties, and go to the Digital Signatures tab. Verify that the signer is the expected company and that the certificate is current. On macOS, look for a message saying the app was verified by Apple. If anything looks off – unknown publisher, expired certificate, mismatched name – do not run the installer.

  3. Keep your antivirus and operating system updated. Security vendors are likely already adding detection rules for TamperedChef. Make sure your software is set to receive automatic updates. However, note that no antivirus catches everything, especially when valid signatures are involved, so don’t rely on it alone.

  4. Be suspicious of unusual behavior. If a productivity app asks for more permissions than it should (e.g., access to your webcam, microphone, or browser credentials), stop using it and investigate. Slow performance, unexpected pop‑ups, or strange network activity can also be signs of infection.

  5. Enable two‑factor authentication (2FA) on your accounts. Even if passwords get stolen, 2FA can block login attempts. Use an authenticator app or a hardware key rather than SMS when possible.

If You Suspect an Infection

  • Disconnect from the internet immediately. This stops the malware from communicating with its command‑and‑control servers.
  • Run a full security scan using a trusted antivirus or a dedicated malware removal tool.
  • Change your passwords from a clean device (such as a smartphone or another computer). Start with your most sensitive accounts: email, banking, and social media.
  • Consider wiping and reinstalling the operating system if the infection is deep. Signed malware can sometimes hide well enough that a simple scan may not remove it.

Sources

This article was updated based on information available as of May 2026. The malware landscape changes quickly, so stay informed via trusted security news sources.