Hola Browser for Windows compromised to deliver cryptominer
The Windows version of Hola Browser was compromised in a supply chain attack that delivered an undeclared cryptocurrency miner executable to users. The compromise affected the browser's distribution or update mechanism.
- Disclosed
- Last updated
- Blast radius
- Windows users of Hola Browser
- Ecosystems
- Attack vectors
- Affected entities
- Hola BrowserWindows version compromised to deliver cryptominer
The Windows version of Hola Browser was compromised in a supply chain attack that resulted in the delivery of malicious code to end users. Researchers identified an undeclared executable embedded in the compromised browser distribution that functioned as a cryptocurrency miner.
The attack represents a direct compromise of the browser's distribution or update infrastructure, allowing attackers to inject malicious payloads into legitimate software downloads. Users who installed or updated the affected Windows version of Hola Browser would have received the cryptominer without their knowledge or consent.
This incident demonstrates the risk of supply chain compromise at the application level, where attackers gain control over software distribution channels to deliver secondary payloads to a broad user base.
Indicators of compromise
- Packages
- Hola Browser
Remediation
- Uninstall Hola Browser for Windows immediately
- Scan systems for cryptocurrency miner processes and artifacts
- Monitor system resources for unusual CPU usage or network activity indicative of cryptomining
- Update to a patched version of Hola Browser once available from official sources
- Consider using alternative browsers from trusted vendors
Sources
- Hola Browser for Windows compromised to deliver cryptominer · BleepingComputer
Cite this entry
"Hola Browser for Windows compromised to deliver cryptominer." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 4, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/hola-browser-for-windows-compromised-to-deliver-cryptominer-1smv3g
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Shai-Hulud: Here We Go Again. Mass npm Supply Chain Attack Hits the AntV Ecosystem
A new wave of the Mini Shai-Hulud worm has compromised multiple npm packages across Alibaba's AntV data visualization ecosystem, including echarts-for-react and timeago.js. Stolen CI/CD secrets are being exfiltrated and dumped to thousands of public GitHub repositories as the attack spreads.
npmOtherCompromised packageAccount takeover - activecritical
The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave
TeamPCP conducted a multi-ecosystem supply chain compromise targeting the @antv package and associated development infrastructure. The attack leveraged GitHub, NPM, and VSCode to steal credentials and establish persistence mechanisms.
npmOtherAccount takeoverCompromised packageMalicious maintainer - activecritical
TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages
The Mini Shai-Hulud worm is actively compromising legitimate npm packages by hijacking CI/CD pipelines and stealing developer secrets. The attack was first detected by StepSecurity in official @tanstack packages and is spreading across the npm ecosystem in real time.
npmOtherCompromised packageBuild-system compromise - activecritical
Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Scope
The Shai-Hulud worm has hijacked intercom-client@7.0.4 (361,510 weekly downloads) via a compromised GitHub Actions OIDC publishing pipeline, 29 hours after compromising mbt@1.2.48 and @cap-js/sqlite@2.2.2. The worm is actively propagating through CI/CD infrastructure stolen from earlier victims, targeting multi-cloud credentials (AWS, GCP, Azure).
npmOtherCompromised packageBuild-system compromiseAccount takeover