If you recently downloaded the Cemu emulator for Linux from the project’s GitHub, be aware: it may have added malware to your system.

The team behind the Wii U emulator discovered that both Linux builds of Cemu 2.6 on Github, the AppImage and a standalone Ubuntu 22.04 ZIP, were “compromised”. Cemu’s Flatpak was not affected, nor were the GitHub installers for Windows and macOS.

If you downloaded the Cemu 2.6 AppImage or Ubuntu 22.04 ZIP from the project’s GitHub, or used a third-party launcher that pulls from there, between 6 May and 12 May, 2026, you may have a compromised build.

If you opened or ran it on any Linux distro, you can assume your system is affected.

If you never unpacked the ZIP or ran the AppImage then delete the package files (or verify against the hashes, see below) and stay cautious.

How’d this happen?

The compromise reportedly came from one of the project’s own collaborators who “ran a compromised python package which stole his GitHub token. This was then used to reupload a compromised version of the two linux binaries in the v2.6 (latest) release of Cemu.”

The incident appears to be part of a “coordinated series of supply chain attacks targeting widely-used open source tools”, as tracked by International Cyber Digest.

The team says it has taken steps to ensure there can’t be a repeat of malware-stuffed builds being auto-published on its GitHub (it, like all software, is vulnerable to ‘poisoning’).

What to do if you’re infected

An FAQ shared by the team has more details, and a warning for Israeli users since the malware will attempt to wipe the entire filesystem for users in the country. The FAQ also provides hashes of known ‘good’ builds of v2.6, if you wish to verify a download.

There’s currently no reliable way to know if you’re affected since the team says “the full capabilities of the malware” are yet to be determined. It’s assumed to be a credential harvester pilfering cloud passwords, tokens, keys, service tokens and even some configs.

A list of files/folders which thought to be created by the malware when present are listed on the FAQ, though the lack of any file or folder in that list shouldn’t be read as safe.

Bluntly: if you downloaded and used Cemu recently you might be affected so you should reinstall your OS as a matter of caution, if not urgency. You should also reset critical passwords, SSH keys and service tokens as soon as you’re able.

h/t Dominic