If you’ve downloaded the Cemu Wii U emulator for Linux from the project’s official GitHub in the past few weeks, bad news: it may have added malware to your system when you ran it.

The team who develop the the open-source emulator recently discovered that both the Linux AppImage and ZIP package of Cemu 2.6 on Github were “compromised” packages containing malware. The Cemu Flatpak and installers for Windows and macOS are not affected.

Anyone who downloaded the Cemu 2.6 AppImage or Ubuntu 22.04 ZIP from the project’s GitHub, or got via a third-party launcher, between the dates of 6 May and 12 May, 2026 and opened or ran it on any Linux distro should assume their system is now compromised.

Those who never unpacked the standalone ZIP or ran the AppImage should delete the package files promptly (or verify against the hashes; see below) and stay cautious.

How’d this happen?

The compromise reportedly came from one of the project’s own collaborators who “ran a compromised python package which stole his GitHub token. This was then used to reupload a compromised version of the two linux binaries in the v2.6 (latest) release of Cemu.”

The incident appears to be part of a “coordinated series of supply chain attacks targeting widely-used open source tools”, as tracked by International Cyber Digest.

The team says it has taken steps to ensure there can’t be a repeat of malware-stuffed builds being auto-published on its GitHub (it, like all software, is vulnerable to ‘poisoning’).

What to do if you’re infected

An FAQ shared by the team has more details, and a warning for Israeli users since the malware will attempt to wipe the entire filesystem for users in the country. The FAQ also provides hashes of known ‘good’ builds of v2.6, if you wish to verify a download.

There’s currently no reliable way to know if you’re affected since the team says “the full capabilities of the malware” are yet to be determined. It’s assumed to be a credential harvester pilfering cloud passwords, tokens, keys, service tokens and even some configs.

A list of files/folders which thought to be created by the malware when present are listed on the FAQ, though the lack of any file or folder in that list shouldn’t be read as safe.

Bluntly: if you downloaded and used Cemu recently you might be affected so you should reinstall your OS as a matter of caution, if not urgency. You should also reset critical passwords, SSH keys and service tokens as soon as you’re able.

h/t Dominic