TamperedChef Malware: Why Even Signed Productivity Apps Can Be Dangerous

If you use apps like Notion, Slack, or Trello for work or personal organization, a new malware campaign called TamperedChef is worth knowing about. According to recent security reporting, attackers are distributing malicious versions of these productivity tools that carry a valid digital signature. That signature makes the apps look legitimate to both users and antivirus software—at least at first glance.

Here’s what is happening, why it matters, and what you can do to avoid falling victim.

What happened

The TamperedChef campaign works by packaging stealers and remote access trojans (RATs) inside what appear to be official installer files for popular productivity applications. The malware authors have obtained—possibly through theft or forgery—valid code signing certificates. These certificates are meant to verify that software comes from a trusted publisher, but in this case they are being used to make malicious installers look authentic.

Once installed, the malware can steal saved passwords, log keystrokes, capture clipboard contents, and download additional payloads. Attackers can then take remote control of the infected computer. The campaign has been observed targeting users of Notion, Slack, Trello, and similar apps, though other productivity tools could be used in future versions.

Why it matters

The use of signed software is a major concern because it bypasses a common security assumption: if an app is digitally signed, it is safe. Many users and even IT teams rely on code signing as a shortcut to trust. TamperedChef exploits that trust.

The practical risk is data theft. Compromising a productivity app gives attackers access to notes, project files, messages, and—if the app integrates with other services—potentially your email or cloud storage accounts. The additional presence of a RAT means an attacker could monitor your activity in real time or use your machine as a launchpad for further attacks on your network.

The campaign is active now, according to cybersecurity news reports from late May 2026. While the exact distribution method is not fully detailed in public reporting, it likely involves phishing emails, fake download sites, or torrents that direct users to these tampered installers.

What you can do

Because the malware hides inside signed apps, you cannot rely solely on the digital signature or your antivirus. Here are concrete steps to reduce your risk.

Only download from official sources. That means the developer’s own website or the official app stores (Microsoft Store, Mac App Store, or the app’s official download page). Avoid third-party download aggregators or links in unsolicited messages. Even if a site looks professional, verify the URL.

Check the publisher name carefully. On Windows, right-click the installer, go to Properties, and look at the Digital Signatures tab. The signer should match the actual app developer—for example, “Notion Labs, Inc.” for Notion, or “Slack Technologies, LLC” for Slack. If the publisher name looks wrong, misspelled, or is a company you don’t recognize, do not run the installer.

Monitor for unusual behavior. After installing, pay attention if the app asks for unexpected permissions (like accessing your camera, microphone, or file system beyond normal use), if it runs slowly, if your computer feels sluggish, or if you see new processes in Task Manager that you don’t recognize. These are common signs of adware or malware.

Use security software that includes behavior-based detection. Traditional signature-based antivirus may miss signed malware, but tools that monitor for suspicious behavior (such as unauthorized network connections or keylogging activity) can catch it. Keep your security software updated.

Enable app control policies if you are on a managed device. Organizations can use tools like Windows Defender Application Control or macOS Gatekeeper to restrict execution to known, trusted apps even if they are signed.

If you suspect you’re infected

If you think you may have installed a tampered app, take these steps immediately:

  1. Disconnect from the internet to prevent further data exfiltration.
  2. Change passwords for any accounts that were accessed on that computer. Do this from a different, trusted device.
  3. Run a full security scan using a reputable antivirus or anti-malware tool. Consider using a second opinion scanner like Malwarebytes or HitmanPro.
  4. If you use the compromised app for work, notify your IT security team so they can check for lateral movement.
  5. As a last resort, back up important files (after scanning them) and perform a clean reinstallation of your operating system.

The bottom line

Code signing is no longer a guarantee of safety. TamperedChef is a reminder that attackers are willing to invest in stolen certificates to look trustworthy. The best defense is old-fashioned caution: verify where your software comes from, pay attention to how it behaves, and keep your security tools tuned to detect anomalies rather than just signatures.

For ongoing updates, follow cybersecurity news sources that cover threat intelligence. The original report on TamperedChef can be found at CyberSecurityNews (published May 21, 2026).