New ‘TamperedChef’ Malware Spreads via Fake Productivity Apps – What to Do
A new malware campaign called TamperedChef is making the rounds by distributing fake versions of popular productivity apps like Notion and Trello. What makes it especially tricky is that the malicious installers carry valid digital signatures, which means they can slip past some basic security checks that users and antivirus tools rely on.
If you’ve ever downloaded a productivity app from a third‑party site, this is worth understanding. Below is a breakdown of what happened, why signed apps are dangerous in this context, and what concrete steps you can take to protect yourself.
What Happened
According to reporting from CyberSecurityNews (May 2026), the TamperedChef campaign distributes malware that masquerades as legitimate productivity software. The attackers clone well‑known apps—likely including Notion, Trello, or similar tools—and sign them with stolen or fraudulently obtained digital certificates. As a result, the installers appear “genuine” to Windows and macOS security features.
Once installed, the payload delivers two kinds of threats:
- Stealers – designed to harvest passwords, browser cookies, and other sensitive data.
- RATs (remote access trojans) – which give attackers remote control over the infected machine.
Because the malware carries a valid signature, it can evade early detection by endpoint protection software and may not trigger warnings about an untrusted publisher.
Why It Matters for Everyday Users
Most people who use productivity apps like Notion, Trello, or Evernote have at some point downloaded software from a direct download link, a third‑party mirror, or a file‑sharing site. The assumption that a signed app is automatically safe is common—and exactly what this campaign exploits.
Digital signatures are meant to verify the publisher’s identity and ensure the file hasn’t been tampered with. But if a certificate is stolen or issued to a fake company, the signature itself becomes part of the deception. For an ordinary user, there is often no obvious visual difference between a legitimate signed installer and a malicious one.
The threat isn’t just theoretical: if a stealer grabs your saved passwords or a RAT gives someone remote access, the damage can be quick and hard to reverse.
What You Can Do Right Now
Here are practical steps that reduce your risk without requiring advanced technical skills.
1. Download productivity apps only from official sources.
Stick to the official website of the app (e.g., notion.so, trello.com) or major app stores (Microsoft Store, Mac App Store). Avoid download aggregators or sites that offer “cracked” or “pre‑activated” versions. Even a signed download from an unofficial site could be tampered with.
2. Verify the publisher before running an installer.
On Windows, right‑click the installer file, select Properties, then go to the Digital Signatures tab. Check that the publisher name matches the actual company behind the app. On macOS, check the signature by running codesign -dv /path/to/app in Terminal (or use the built‑in security check under System Preferences). If the publisher name seems odd—like a random person or an unfamiliar company—do not install.
3. Keep your antivirus software active and updated.
No antivirus catches everything, but modern security tools can sometimes detect malicious behavior even when the file is signed. Enable real‑time protection and allow updates to download automatically. Some products also flag when a signed app behaves suspiciously after installation.
4. Watch for unusual behavior after installation.
After installing a new app, pay attention to:
- Unexpected permission requests (e.g., “Allow this app to access your camera?” when you’re just using a to‑do list).
- Changes to your browser homepage or search engine.
- Sluggish system performance or unexplained network activity.
- New processes running in the background that you didn’t start.
5. If you suspect an infection, act quickly.
Disconnect the device from the internet (turn off Wi‑Fi or unplug the Ethernet cable). Then run a full scan with your antivirus. For a deeper check, consider using a free on‑demand scanner like Malwarebytes or Microsoft Defender Offline. If you find malware, change passwords for your important accounts from a different, clean device. Enable two‑factor authentication where possible.
6. Be cautious with signed installers from unknown publishers.
A digital signature alone is not proof of safety. The TamperedChef campaign shows that signatures can be abused. If you’re unsure about a file, you can upload it to a free online malware scanner like VirusTotal (which checks many antivirus engines) before running it. Note that some malware can remain undetected for a short time, but this extra step can catch known threats.
Sources
This article is based on reporting by CyberSecurityNews, May 2026. The campaign was first described in their article “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs.” Additional details about signed app risks and mitigation are drawn from general cybersecurity best practices published by Microsoft and the SANS Institute. As with any emerging threat, the specific apps targeted and the distribution methods may evolve—stay informed by following reputable security news sources.