Compromised Linux builds of the popular Wii U emulator CEMU were distributed via GitHub for nearly a week. The malicious files were uploaded as part of the v2.6 release between May 6 and May 12. Windows, macOS, and Flatpak users are not affected.
Malware targets Israel with siren and wipe
The affected files are Cemu-2.6-x86_64.AppImage and cemu-2.6-ubuntu-22.04-x64.zip. The malware is a sophisticated password stealer that does not activate on first run. It also checks the user's location. If the user is in Russia, the malware remains dormant. If the user is in Israel, it plays siren sounds and attempts to wipe the filesystem.
The CEMU development team stated that the leading theory is that a collaborator ran a compromised Python package that stole a GitHub token. The attacker then used that token to reupload the compromised Linux binaries. The team said they have taken measures to prevent this from happening again.
It is currently unclear if the malware has further targets and goals beyond password stealing. The developers have not confirmed the full scope of the incident.



Discussion
0 comments
Log in to join the thread with a thoughtful take, question, or correction.