The same week researchers reported that the National Security Agency had been embedding surveillance tools in the guts of thousands of machines in Iran, Russia and other countries, it was revealed that the world’s largest personal computer company had been doing something similar to its customers.

The Chinese computer-making giant Lenovo was inserting spyware — its defenders would call it adware — in its PCs. This software could track customers’ every online move, intercept secure web sessions and render their computers vulnerable to hackers.

The company buried its software in the lowest level of a PC’s operating system, precisely where customers and antivirus products would never detect it, and had been siphoning data back to servers belonging to Superfish, an Israeli software company headquartered in Silicon Valley that markets itself as a visual search company.

The discoveries are the latest in a string of revelations that indicate that as traditional security defenses have begun fully to surround the outer layers of our devices, criminals, nation-states’ hackers and apparently advertisers have turned their focus inward, to the very heart of the machine, where their code is easily concealed.

Before this week’s discoveries, there have been only two known cases of malicious code attacking the lowest level of a machine. The first was a 1998 computer virus, called CIH, for the initials of its author, Chen Ing-Hau, then a 24-year-old college student in Taiwan.

The virus was dubbed Chernobyl because it was timed to strike on April 26, 1999, the 13th anniversary of the 1986 Chernobyl nuclear power plant disaster. Though it was designed to prove that a concept would work in the real world, it quickly spread beyond Taipei’s Tatung Institute of Technology to millions of computers around the world.

The incident was a wake-up call to computer security experts, who for years had been developing antivirus products for the outer layers of a computer’s operating system, but not the lowest levels of a machine. Security experts started to talk about there being “a race to the bare metal” of a machine.

Their fears were realized in September 2011, after security researchers discovered Mebromi, a second virus. The virus modified the first software that runs on a machine — the basic-input-output-system, or BIOS — in such a way that any attempt to clean it from the computer would be futile because the BIOS would just continue to reinfect it. But Mebromi affected only a small set of Chinese users.

What makes the latest discoveries so disconcerting is that if a government or company can plant spyware in the lowest level of a machine, it can steal your passwords, serve up any web page, steal your encryption keys and control your entire digital experience, undetected.

“If they can do that, they can do anything,” said Peter Horne, the technology expert who first discovered the spyware in Lenovo’s products.

Mr. Horne, a 25-year veteran of the financial services technology industry, was the first to discover Superfish early last month in a new Lenovo Yoga 2 Notepad he bought in Sydney, Australia.

Even though the PC came with McAfee antivirus software, Mr. Horne said, he installed antivirus software made by Trend Micro. Neither virus scanner picked up adware on the machine. But Mr. Horne noted that traffic from the PC was being redirected to a website called best-deals-products.com. When he dug further, he found that website’s server was making calls to Superfish adware.

Superfish’s “visual discovery” adware, Mr. Horne and others now say, is far more intrusive than typical adware. It not only drops ads into a user’s web browser sessions, it hijacks a secure browsing session and scoops up data as users enter it into secure websites. In the process, it makes it easy for hackers to intercept communications.

Mr. Horne returned his PC and went on to test Lenovo’s demonstration machines at Best Buy stores in New York and Boston and at other retailers in Sydney and Perth. He found Superfish adware on other Lenovo Yoga 2 models and the Lenovo Edge 15.

Superfish’s co-founder, Adi Pinhas, did not return requests for comment.

In a statement issued on Thursday, Lenovo said it had included Superfish in some consumer notebooks shipped between September and December “to help customers potentially discover interesting products while shopping.”

Citing bad user reviews, the company said it had stopped including the adware in January, the same month Mr. Horne brought the issue to the company’s attention (and never received a response).

By partnering with Superfish, Mr. Horne said, “Lenovo is either extraordinarily stupid or covering up. Either is an offense to me.”

As news of the Lenovo issue began circulating on Thursday, security researchers developed online tools for users to figure out whether Superfish was installed on their machines, and Microsoft began rooting out Superfish with its Windows Defender antivirus software.

“The problem is: What can we trust?” Mr. Horne said. “People trust software, then learn it gets compromised. We trust hardware and firmware, until you learn it’s been compromised with adware. We trust the actual box, until we learn it’s been taken into a little room somewhere.”