Cemu, EmuDeck, and 22,000 Users at Risk: Here's How Malware Infiltrated Official Linux Builds

The Emulator

Cemu, the open-source project that allows users to run Wii U titles on PC, is at the center of a serious security incident: the Linux binaries of release v2.6 distributed via GitHub have been replaced with malware-infected versions, which remained available for download between May 6 and May 12, 2026. The impacted files are two: the generic AppImage and the ZIP package for Ubuntu 22.04 x64. Builds for Windows and macOS, as well as the version distributed via Flatpak on Flathub, were not affected. Anyone who downloaded and ran one of the two infected files during that period should consider their system compromised.

How the Compromise Occurred

The method used was a traditional supply chain attack: a contributor to the project, identified by the nickname MangleSpec/Petergov, ran a malicious Python package within a WSL (Windows Subsystem for Linux) environment. That package was designed to steal credentials, and in this case, it exfiltrated the developer's GitHub token. With that token in hand, attackers removed the original assets of release v2.6 and re-uploaded the Linux binaries with modified versions containing the payload.

The incident is not an isolated case: Cemu has been targeted as part of what researchers at International Cyber Digest describe as a coordinated series of supply chain attacks against widely used open source tools. During the same period, a campaign called Mini Shai-Hulud compromised npm packages of projects like TanStack, Mistral AI, and Guardrails AI using stolen GitHub OIDC tokens with similar methodologies: the goal was to spread through the publication credentials of the affected maintainers.

What the Malware Does

The main documented behavior is that of a self-propagating credential harvester: once executed, it collects SSH keys, GitHub tokens, cloud service passwords, API keys, and anything that could be used to access other systems or repositories. The declared goal is maximum possible spread, infecting other software packages via stolen tokens, just as had already happened in the case affecting Cemu itself.

However, there is a second, more aggressive payload with a clear geopolitical connotation: if the malware detects that the system is located in Israel (through keyboard layout and timezone settings), it may initiate recursive deletion of the entire filesystem with the command rm -rf /* and, according to reports, trigger an alarm siren. This component makes the malware a hybrid between a credential stealer and a selective wiper.

The IP 83.142.209.194 is hardcoded in the malicious code as a remote communication endpoint. The Cemu team has not yet completed the analysis of the malware's capabilities, so it is not possible to rule out further undocumented functionalities.

The Scope of the Incident

Estimates circulating on community forums indicate about 22,000 potentially affected users: 2,000 via the Ubuntu ZIP package and approximately 20,000 via the AppImage. The latter is also the format that EmuDeck, the popular launcher for Steam Deck, automatically downloads from GitHub to install Cemu, which likely amplified the spread among users who were unaware they were running an updated binary.

The SHA256 hashes of the safe and infected files have been published by the team on the GitHub page and in a separate PSA document, which also contains a list of files and directories that the malware may have created on the system. However, the team explicitly warns that the absence of those files is not a guarantee of cleanliness.

What to Do If You Are at Risk

Anyone who downloaded and ran Cemu between May 6 and May 12 should take the following measures in order: immediately delete the files cemu-2.6-x86_64.AppImage and cemu-2.6-ubuntu-22.04-x64.zip if present; verify the SHA256 checksum of the file in their possession before considering it safe; block the IP 83.142.209.194 as an immediate precaution; rotate all potentially exposed credentials, including passwords, GitHub tokens, SSH keys, API keys for cloud services, and CI/CD tokens. In the most critical cases, especially on machines used for development or with access to infrastructure, reinstalling the operating system is the safest path.

The team has already republished clean versions and removed compromised assets from GitHub, implementing additional measures to prevent infected builds from being automatically published in the future via the project’s CI/CD pipelines.