Support us on Patreon
PayPalUnfortunately, the popular Nintendo Wii U emulator Cemu was recently attacked, with it serving up malware in certain Linux builds.
A ticket was opened on the GitHub page on May 12, with the reporter noting a user re-uploaded certain v2.6 builds with the originals wiped. It only affected the 64-bit Ubuntu 22.04 build, along with the AppImage on Linux but not Flatpak. Windows and macOS builds were unaffected.
The developers have already removed the offending versions of the emulator. So you're safe to download it now.
Turns out, the user account responsible is a long term co-author of Cemu who had a WSL (Windows Subsystem for Linux) system compromised. How exactly? One of the developers said:
From preliminary analysis it seems that mostly it is trying to spread itself rather than cause direct damage, it does that by stealing SSH keys, github tokens and a lot of other passwords or keys that they can then use to infect more packages or software releases. This is likely also how we got affected. The other Cemu author (MangleSpec/Petergov) ran software in WSL which was compromised through which they got hold of his github token. At least that is our leading theory.
Curiously, the malware was designed to steal passwords and security keys but not just that - it had a special payload if it detected you're in Israel where it would attempt to play a loud siren and wipe your filesystem. Ouch.
You can see more information in their PSA post.
In other security news we recently had the big Dirty Frag and Copy Fail vulnerabilities to deal with too.
Article taken from GamingOnLinux.com.
See more from me
You can also find comments for this article on social media: 
fenglengshun 4 hours ago
Not the kind of fake hacktivism APTs sometimes pretend, but really someone who is trying to make a political statement by hacking.
Clearly unfinished and unprofessional
Explained: rm -rf / really?
It's
for driveLetter in {1}[abcdefghijklmnopqrstuvwxyzABCDEVGHIJPLMNOPQRSTUVWXYZ]; do dd if=/sd$driveLetter of=/dev/null bs=1M status=progress; doneA siren really?
It's a well designed picture depicting some hacker group or a political manifesto.
Clear political aim.
Cheaping out(no server or payment infrastructure in use)
Self defeating focus(appimages and root compilations are more often in user space and wiping root isn't something non-privileged users can do. A good appimage design would at least do rm -rf ~ achieves still data destruction without needing privileged calls)
Aimed at individuals not organizations.(amd64 linux WII U emulators are more popular for consumers)
Meme reliant(rm -rf / is a memed destructive command the more thorough solutions aren't)
Also python packages shouldn't be run with access to git tokens, but that would require sensible defaults on this scale, which we're lacking.
We're once again dealing with non-reproducible build exploitation aimed at the self-compiling instead of the downloading group.
Quoting: LoudTechieThis sounds like real hacktivism.It's political for sure. As it says in te FAQ https://rentry.org/cemu-security-psa "If your locale is Russian then the malware does nothing." and "your location is Israel (it does this via locale and timezone checks) then it has a 1:6 chance that it will play a loud siren sound and run rm -rf /".
Not the kind of fake hacktivism APTs sometimes pretend, but really someone who is trying to make a political statement by hacking.
Clearly unfinished and unprofessional
Explained: rm -rf / really?
It'sfor driveLetter in {1}[abcdefghijklmnopqrstuvwxyzABCDEVGHIJPLMNOPQRSTUVWXYZ]; do dd if=/sd$driveLetter of=/dev/null bs=1M status=progress; done
A siren really?
It's a well designed picture depicting some hacker group or a political manifesto.
Clear political aim.
Cheaping out(no server or payment infrastructure in use)
Self defeating focus(appimages and root compilations are more often in user space and wiping root isn't something non-privileged users can do. A good appimage design would at least do rm -rf ~ achieves still data destruction without needing privileged calls)
Aimed at individuals not organizations.(amd64 linux WII U emulators are more popular for consumers)
Meme reliant(rm -rf / is a memed destructive command the more thorough solutions aren't)
Also python packages shouldn't be run with access to git tokens, but that would require sensible defaults on this scale, which we're lacking.
We're once again dealing with non-reproducible build exploitation aimed at the self-compiling instead of the downloading group.
So I'ts a Russian o pro-Russian and goes anti Israel.
really this's a TeamPCP attack.
I thought they would be more professional from the scare I heard.
Quoting: jordicomaThe exception says less than the target.Quoting: LoudTechieThis sounds like real hacktivism.It's political for sure. As it says in te FAQ https://rentry.org/cemu-security-psa "If your locale is Russian then the malware does nothing." and "your location is Israel (it does this via locale and timezone checks) then it has a 1:6 chance that it will play a loud siren sound and run rm -rf /".
Not the kind of fake hacktivism APTs sometimes pretend, but really someone who is trying to make a political statement by hacking.
Clearly unfinished and unprofessional
Explained: rm -rf / really?
It'sfor driveLetter in {1}[abcdefghijklmnopqrstuvwxyzABCDEVGHIJPLMNOPQRSTUVWXYZ]; do dd if=/sd$driveLetter of=/dev/null bs=1M status=progress; done
A siren really?
It's a well designed picture depicting some hacker group or a political manifesto.
Clear political aim.
Cheaping out(no server or payment infrastructure in use)
Self defeating focus(appimages and root compilations are more often in user space and wiping root isn't something non-privileged users can do. A good appimage design would at least do rm -rf ~ achieves still data destruction without needing privileged calls)
Aimed at individuals not organizations.(amd64 linux WII U emulators are more popular for consumers)
Meme reliant(rm -rf / is a memed destructive command the more thorough solutions aren't)
Also python packages shouldn't be run with access to git tokens, but that would require sensible defaults on this scale, which we're lacking.
We're once again dealing with non-reproducible build exploitation aimed at the self-compiling instead of the downloading group.
So I'ts a Russian o pro-Russian and goes anti Israel.
It could simply be a way of blaming in an innocent bystander.
The target does say something, because it shows who you want to hurt.
hardpenguin 1 hour ago
How to setup OpenMW for modern Morrowind on Linux / SteamOS and Steam Deck
How to install Hollow Knight: Silksong mods on Linux, SteamOS and Steam Deck