Inside the Hola Browser Supply Chain Breach: A Stealthy XMRig Miner and a Compromised Pipeline

Once installed, the malware established persistence through a series of deliberate actions:

• File Placement: The miner copied itself to

  C:\Program Files\Hola\HolaMonitorService.exe

  , a path and filename designed to appear as a legitimate browser monitoring component .
• Service Creation: It created a Windows service named hola_monitor_svc and configured it with a start type of 0x00000002, ensuring it would launch automatically every time the system booted .
• Defender Evasion: To sidestep built-in antivirus scans, the malware added an exclusion path for Windows Defender .
• Obfuscation and Anonymity: The me.exe binary was unsigned, obfuscated, and lacked a valid timestamp. Security researchers noted that the filename itself seemed chosen for its unremarkable appearance, allowing it to blend in with legitimate processes .

A Limited but Serious Attack Surface

The scope of the compromise was relatively narrow. Sophos estimated that roughly 0.1% of Hola Browser users were affected . While a small fraction of the user base, the incident represents a textbook supply chain attack: a trusted software distribution channel turned against its users, bypassing the normal security scrutiny users place on official installers.

The attack was not a breach of Hola's source code. Instead, it highlighted the vulnerability of the software build and release pipeline—a reminder that even when developers write clean code, a compromise during compilation, packaging, or distribution can poison the final product .

How Hola Responded

Once Sophos X-Ops reported the finding, Hola moved to contain the threat and prevent a recurrence. The company's remediation steps included:

• Rebuilding the distribution pipeline from the ground up to eliminate any residual attacker access .
• Implementing code-signing verification to block unsigned and unauthorized binaries from passing through the build process .
• Introducing tighter access controls and continuous monitoring on its distribution infrastructure .

Despite these measures, as of the public disclosure on June 4, 2026, critical questions remain unanswered. Hola has not publicly revealed the attack vector—how the pipeline was first breached—the identity of the threat actor, or the duration of their access. The full forensic picture remains closed to the public, a gap that leaves both users and the security community with a cautionary tale but an incomplete understanding of the threat .