When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Popular Wii U emulator CEMU has been offering compromised downloads for days

The CEMU emulator development team has revealed that for almost a week, its GitHub page has been offering compromised builds for Linux.

Neowin · with 0 comments

CEMU logo

CEMU, one of the most popular and successful emulators available, has been found to be offering compromised files to Linux users this month. The development team today put out a security PSA detailing the discovery, who it suspects is affected, and ways to make sure users are safe. The 2015-released emulator is an open-source system that can run Nintendo's Wii U games.

The development team announced the newly discovered issue via its official Discord channel today, May 12. It revealed that compromised files had been spread via its official GitHub page between May 6 and May 12, with the source being named as a "pro-Russian threat actor."

The changed files had been inside the Linux builds that the team offers, affecting both direct GitHub page downloads and third-party launchers that download from the repository.

The team says that Windows and macOS files are safe and haven't been a part of the attack. Flatpak users are also in the safe group, per the developers.

The affected files had been "Cemu-2.6-x86_64.AppImage" and "cemu-2.6-ubuntu-22.04-x64.zip." The malware in these files reportedly won't activate on the first run of the compromised builds, possibly attempting to hide itself for later activation. If a user in Russia opens them, the malware doesn't activate at all.

"We are still tracking the exact chain of events down but the leading theory is that a collaborator on our team ran a compromised python package which stole his GitHub token," said the team about how it thinks the situation came to be. "This was then used to reupload a compromised version of the two linux binaries in the v2.6 (latest) release of Cemu. We have taken measures to prevent this from happening in the future."

Other than being a "sophisticated password stealer for many services", it is currently unclear if the malware has further targets and goals. CEMU developers added that if the malware detects that the user is in Israel, it will also play siren sounds and attempt to wipe the filesystem using 'rm -rf /'.

For users who are worried that their systems are affected, the CEMU team recommends a clean reinstall of the operating system to be completely safe. Find the complete security PSA over here, which details more methods to reduce the risk from malware. Future updates about the situation are also slated to be detailed here.

Android 17 features for content creators
Next Article

Android 17 adds new AI tools, Instagram upgrades, and pro video features for creators

Googlebook
Previous Article

Google unveils Googlebook, a new Gemini-first laptop category powered by a new modern OS

0 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here