Linux malware hidden in Cemu Wii U emulator AppImage

12 May 2026, 21:34 by by Joey Sneddon · omg! ubuntu · Join

If you recently download the Cemu emulator for Linux as an AppImage from the official project GitHub, be aware: it may have added malware to your system.

The team behind the Wii U emulator discovered AppImage and Ubuntu ZIP assets available for the Cemu 2.6 release hosted on project Github were “compromised” – only those; the Flatpak build was not affected, nor builds for Windows and macOS.

To wit: if you downloaded Cemu 2.6 between 6 May, 2026 and 12 May from the project’s GitHub page (or a third-party launcher that downloads a build from there instead) and you opened or ran it on any Linux-based distro, you can assume your system is affected.

If you never unpacked the ZIP or run the AppImage then delete the package files (or verify against the hashes, see below) and stay cautious.

The team says: “a collaborator on our team ran a compromised python package which stole his GitHub token. This was then used to reupload a compromised version of the two linux binaries in the v2.6 (latest) release of Cemu”.

Was this novel emulator caught in the cross-hairs? It seems so. A “coordinated series of supply chain attacks targeting widely-used open source tools” is being tracked by International Cyber Digest that is likely the root cause of the ‘poisoning’.

The team says it has taken steps to ensure there can’t be a repeat of malware-stuffed builds being auto-published on its GitHub (it, like all software, is vulnerable to supply chain-side attacks). It’s published an FAQ with extra detail (including an extra warning for Israeli users).

However, there’s currently no reliable tell and and team admits it doesn’t know “the full capabilities of the malware” at present. A list of files/folders that might be created by it is given, but users shouldn’t assume the absence of any/all of them means they’re safe.

The FAQ lists hashes of known ‘good’ builds of v2.6, if you wish to verify a download.

But bluntly, if you think you might be affected you should reinstall your OS as a matter of caution, if not urgency and reset all critical passwords, SSH keys and service tokens.

h/t Dominic