Wii U emulator Cemu 2.6 for Linux was compromised by a Russian threat actor for a week

Between May 6 and May 12, a malware was inserted into the Cemu 2.6 AppImage and Ubuntu zip assets on GitHub by a pro-Russian threat actor. These compromised files, Cemu-2.6-x86_64.AppImage and cemu-2.6-ubuntu-22.04-x64.zip, affected only users who downloaded them from GitHub or through third-party launchers during this period.

Following these events, the official releases have now been restored to their original, uncompromised versions. Users on Windows, macOS, or running the Flatpak package are not impacted by this incident.

For those who obtained or ran the affected Linux binaries between May 6 and May 12, action is required. The risk of immediate harm is lower if the program was only run once, but users should still treat their systems as compromised. Notably, if a machine's locale is Russian, the malware remains inactive.

As the full functionality of the malware remains undetermined, a clean operating system install is recommended. At a minimum, delete the compromised binaries and reset all passwords, GitHub tokens, SSH keys, and any other credentials, as the malware includes a sophisticated credential-stealing component aimed at programming and cloud accounts. Blocking traffic to IP address 83.142.209.194 may also mitigate some threat activity because this is used as a hardcoded remote endpoint. On systems set to Israeli locale and timezone, there is a 1 in 6 chance the malware will play a loud siren and attempt to erase all files with the command rm -rf /.