Warning: Signed Productivity Apps Used to Spread TamperedChef Malware — What to Do

A recent malware campaign known as TamperedChef is making the rounds by hiding inside seemingly legitimate copies of popular productivity apps. What makes this attack particularly dangerous is that the malicious software is digitally signed, meaning it carries a certificate that normally tells your operating system the app is safe. Here’s what everyday users and small business owners need to know.

What Happened

Researchers have identified a campaign where attackers distribute versions of productivity tools—think apps like Notion, Slack, Trello, or similar—that have been tampered with. The malicious code is bundled into signed packages, using valid code-signing certificates that were either stolen or issued fraudulently. Once a user downloads and runs such an app, the malware installs silently.

The payload typically includes two types of threats:

  • Information stealers that grab saved passwords, browser cookies, screenshots, and keystrokes.
  • Remote Access Trojans (RATs) that give the attacker full control over the infected device—capable of moving laterally across a network, exfiltrating files, and deploying further malware.

The attack distribution method appears to rely on fake update prompts and deceptive download sites, often mimicking official app stores or company portals. Because the binaries are signed, Windows and macOS may not flag them as suspicious.

Why It Matters

Most people trust signed software. A digital signature is supposed to guarantee that the code hasn’t been altered and comes from a known developer. When attackers obtain valid certificates, they bypass a key layer of protection. For small businesses, a compromised productivity app used by several employees can quickly lead to data breaches, credential theft, and even ransomware.

The TamperedChef campaign targets both Windows and macOS users, making it a cross-platform concern. While security researchers have detected the campaign, the full scale is still unknown. It’s unclear how many valid certificates were stolen or for how long the malware has been active. What is clear is that traditional antivirus signatures may not catch a signed malicious app if the certificate hasn’t been revoked yet.

What Readers Can Do

You don’t need to stop using productivity apps, but you should adjust how you install and update them. Here are practical steps:

  1. Download only from official stores or verified sources.
    Stick to the app’s official website (bookmarked, not via search ads) or the official app store for your platform (Microsoft Store, Mac App Store, or the developer’s direct link). Avoid third‑party download aggregators.

  2. Treat unexpected update prompts with suspicion.
    If an app suddenly asks to update itself outside its normal schedule, don’t click “Yes” immediately. Check the developer’s site or support channels to confirm a legitimate update exists. Many attacks spread through fake update banners.

  3. Use security software that detects behavior anomalies.
    Signature‑based antivirus is not enough. Modern endpoint protection tools look for unusual activity—like an app trying to access your password manager or send data to unknown servers—even if the file is signed.

  4. Keep your operating system and apps updated.
    Updates often include security fixes. However, apply them only from within the app itself (if it has an auto‑update feature) or from the official store.

  5. Verify app signatures when possible.
    On Windows, right‑click the executable, go to Digital Signatures, and check the certificate details. Look for the issuer and whether the signature is valid and not expired. This isn’t foolproof, but a mismatched signer or missing signature is a red flag.

  6. Back up critical data regularly.
    If a RAT gains access, having an offline backup can limit damage from potential data destruction or ransomware.

Sources

  • CybersecurityNews: “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs” (May 21, 2026)
  • The Hacker News: “ThreatsDay Bulletin: Linux Rootkits, Router 0‑Day, AI Intrusions, Scam Kits and 25 New Stories” (May 21, 2026) – mentions the campaign in context
  • Additional industry reporting from threat intelligence feeds (details still emerging)

This is an evolving situation. Stay informed by following official security advisories, but more importantly, stay in the habit of cautious software installation—especially for the apps you rely on every day.