More than two million people who downloaded security software CCleaner have been infected by malware on their computers, its developers have confirmed.
Piriform, the company behind the software, said on its website that a new version of the app had been tampered with before being released.
The malicious code was added to the legitimate code for CCleaner, which allows users to wipe unwanted files from their hard-drives, and could have allowed hackers to take over the devices of 2.27 million people.
Known as a “supply chain attack”, hackers often target trusted software to bypass security checks that target organisations might have in place.
The version of the software which had been “illegally modified” had been available for about a month before the tampering was detected.
“At this stage, we don’t want to speculate how the unauthorised code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it,” said Paul Yung, from Piriform.
He said the company quickly fixed the software once the malware had been spotted and that it automatically updated users to protect them from hackers.
“To the best of our knowledge, we were able to disarm the threat before it was able to do any harm,” said Mr Yung.
Independent analysis by Talos Intelligence, the research team at networking company Cisco, also discovered the malware.
“This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organisations and individuals around the world,” the Talos team wrote.