If you’ve downloaded the Cemu Wii U emulator for Linux from the project’s official GitHub in the past few weeks, bad news: it added malware to your system when you ran it.
An announcement made by the team developing the open-source app say they recently discovered the Linux AppImage and ZIP of the Cemu 2.6 release available from their Github had been “compromised” with malware between 6 May and 12 May, 2026.
The Cemu Flatpak, as well as installers for other operating systems, were not affected.
Linux users who directly downloaded the Cemu 2.6 AppImage or Ubuntu ZIP assets from the project GitHub, or got it via a third-party launcher that fetches it from GitHub, and then opened or ran the app should assume their system is infected with the malware payload.
Those who never unpacked the standalone ZIP or gave the AppImage permission to run may be fine, but should delete the package files promptly (or verify against the hashes; see below).
How’d this happen?
The compromise reportedly came from one of the project’s own contributors who “ran a compromised python package which stole his GitHub token. This was then used to reupload a compromised version of the two linux binaries in the v2.6 (latest) release of Cemu.”
Cemu has been ensured in opportunistic crosshairs stemming from a “coordinated series of supply chain attacks targeting widely-used open source tools”, per tracking by International Cyber Digest. Poisoning one widely used FOSS tool can ripple outwards.
The team says it has now taken steps to ensure there won’t be a repeat of malware-stuffed builds being auto-published on its GitHub.
An FAQ shared by the team offers more details on the incident, alongside an additional warning for Israeli users as the malware is designed to wipe the entire filesystem (and play a siren) if it detects the user is from or based in the country.
The FAQ also provides hashes of known ‘good’ builds of v2.6, if you wish to verify a download.
What to do if you think you’re infected
There’s currently no reliable way to know if you’re infected, as the team says “the full capabilities of the malware” are yet to be determined. It’s assumed to be a credential harvester, designed to steal cloud passwords, tokens, keys, service tokens, etc.
A list of files/folders that are thought to be created by the malware (if present) are listed on the aforelinked FAQ, but don’t take the lack of any file or folder in that list as read that you’re safe.
Bluntly: if you downloaded and used Cemu recently you might be affected so you should reinstall your OS as a matter of caution, if not urgency. You should also reset critical passwords, SSH keys and service tokens as soon as you’re able.
h/t Dominic