Hola Browser for Windows has been compromised in a software supply chain attack that delivered a hidden cryptocurrency miner to some users.
According to a report by BleepingComputer, the Windows version of Hola Browser was found installing an undeclared executable identified by cybersecurity researchers as a cryptominer. The issue was discovered during AppEsteem’s periodic certification testing process, after the browser had previously passed certification checks.
The incident highlights the continued risk of supply chain attacks, where trusted software or update channels are abused to distribute unwanted or malicious components.
What Happened to Hola Browser?
Hola Browser is a Chromium-based web browser that includes built-in VPN and proxy features. The browser is connected to Hola, an Israeli company best known for its Hola VPN service.
During recent app integrity checks, cybersecurity researchers discovered that some Hola Browser installations were delivering an undeclared executable file named me.exe. The file was reportedly installed under the C:\Program Files\Hola\ directory.
Researchers found several warning signs linked to the file. It was not certified, had no timestamp, was not digitally signed, contained obfuscated code, and was capable of writing to memory.
Further analysis by Sophos indicated that the file showed signs of being a Monero cryptocurrency miner.
How the Cryptominer Worked
The suspected cryptominer was designed to run quietly on affected Windows systems.
According to the findings, the miner added a Windows Defender exclusion rule, copied itself into the Program Files directory under the name HolaMonitorService.exe, and created an auto-starting Windows service called hola_monitor_svc.
The malware was also configured to run when the computer was idle. This type of behavior is commonly used by cryptominers to reduce the chances of being noticed by users while still consuming system resources to mine cryptocurrency.
Cryptominers can slow down computers, increase CPU usage, raise power consumption, and create unnecessary strain on affected devices.
Hola Confirms Supply Chain Compromise
Hola confirmed that it had suffered a supply chain compromise after being notified of the findings by AppEsteem. The company said the incident was also independently detected by cybersecurity firm Sygnia.
According to Hola, only around 0.1% of users were affected. The company also stated that it found no evidence that user data was accessed, stolen, or compromised during the incident.
Hola said it has since rebuilt its distribution pipeline, added stronger code-signing verification, improved access controls, and introduced continuous monitoring across its infrastructure.
These changes are intended to ensure that only declared, certified, and signed components are delivered to users in the future.
Why This Incident Matters
The Hola Browser cryptominer incident is another reminder that supply chain attacks remain a serious cybersecurity threat.
Unlike traditional malware attacks, supply chain attacks can take advantage of trusted software distribution systems. This means users may receive harmful files through channels they normally consider safe, such as official installers or updates.
For businesses and individual users, the incident shows why software integrity checks, endpoint protection, and careful monitoring of installed applications are important.
Even when a program appears legitimate, hidden components can still create security and performance risks if the software distribution process is compromised.
What Hola Browser Users Should Do
Windows users who have installed Hola Browser should take steps to check whether their systems may have been affected.
Users can review installed files under the Hola program directory, look for suspicious services such as hola_monitor_svc, and run a full system scan using reputable security software.
It is also recommended to update or reinstall software only from official sources and monitor devices for unusual CPU usage, overheating, slow performance, or unexpected security exclusions.
Businesses using Hola Browser should ask their IT or cybersecurity teams to inspect affected endpoints and verify whether any unauthorized executables or services are present.
Broader Cybersecurity Lesson
The compromise of Hola Browser shows how attackers continue to target software distribution pipelines to reach users at scale.
As more applications rely on automatic updates and online delivery systems, protecting the software supply chain has become a major cybersecurity priority.
For users, the best defense is to keep security tools enabled, avoid ignoring system performance issues, and stay alert to reports involving software they use.
For software vendors, the incident reinforces the need for strict code-signing, continuous monitoring, and stronger controls across build and distribution systems.
Final Thoughts
Hola Browser for Windows was compromised in a supply chain attack that delivered a hidden Monero cryptominer to some users.
While Hola says only a small percentage of users were affected and that no user data was compromised, the incident remains an important warning about the risks of trusted software channels being abused.
Users who installed Hola Browser on Windows should review their systems, run security scans, and ensure they are using the latest safe version of the software.