SECURITY PSA - For Cemu emulator 2.6
It has come to our attention that from 6th May to today (12th May) the AppImage and Ubuntu zip assets of Cemu 2.6 on our github were compromised by a pro-Russian threat actor.
If you are a Windows or MacOS user you are not affected. If you are a flatpak user you are also not affected.

The compromised releases are:
Cemu-2.6-x86_64.AppImage
cemu-2.6-ubuntu-22.04-x64.zip
Only if you have downloaded these between 6th May and 12th May from our github page. This also affects third party launchers which usually directly download from our repository. As of writing this, the compromised releases have been restored to their good version.

FAQ:

How do I know if I am affected?
There are currently no known reliable traces that you can check for, but you should assume you are affected if you downloaded and ran either Cemu-2.6-x86_64.AppImage or cemu-2.6-ubuntu-22.04-x64.zip between 6th May and 12th May. The malware has a special exception where it does bypass the harmful code on the first run, so the risk of damage is lower if you only ran compromised Cemu builds once. If your locale is Russian then the malware does nothing.

The following files and directories may be created by the malware:
/tmp/.transformers
/usr/bin/pgmonitor.py
~/.local/bin/pgmonitor.py
/etc/systemd/system/pgsql-monitor.service
~/.config/systemd/user/pgsql-monitor.service
/tmp/kubectl
The absence of these files does not prove that you are safe.

What can I do if I am affected?
The blunt answer is that we don't know the full capabilities of the malware. The safest bet is to do a clean install of your OS.
At the very minimum you should delete the affected binaries and reset all your passwords, GitHub tokens, SSH keys or anything that is used to authenticate with services. The malware contains a pretty sophisticated password stealer for many services. Most of them are related to programming or cloud providers in some way. We think this is to help the malware authors to further infect other software.
You should also block IP 83.142.209.194 (even if you are not affected) because this is used as a hardcoded remote endpoint.
We will update this document as more information becomes available.

Special note for Israeli users:
If the malware determines that your location is Israel (it does this via locale and timezone checks) then it has a 1:6 chance that it will play a loud siren sound and run rm -rf /, essentially attempting to wipe your filesystem. This is bad, but since rm does not actively overwrite the file data, you should be able to recover your data with some effort. But this is only true as long as you don't write new data to the affected drive(s).
Do not reinstall your OS to the same drive or format it until you have attempted a file recovery first. The exact steps for this go beyond the scope of this PSA, but if you need help feel free to DM me on Discord (Exzap) or shoot me a message on reddit (/u/Exzap).

How did this happen?
We are still tracking the exact chain of events down but the leading theory is that a collaborator on our team ran a compromised python package which stole his GitHub token. This was then used to reupload a compromised version of the two linux binaries in the v2.6 (latest) release of Cemu. We have taken measures to prevent this from happening in the future.

Where can I learn more?
We will update this document as we learn more.
https://github.com/cemu-project/Cemu/issues/1911
https://teampcp.cyberdigest.international/

If you are unsure whether your binaries are compromised here are hashes of the GOOD files:
Cemu-2.6-x86_64.AppImage 0c20c4aeb800bb13d9bab9474ef45a6f8fcde6402cad9b32ac2a1bbd03186313 (sha256)
cemu-2.6-ubuntu-22.04-x64.zip 5e4592d0dae394fa0614cb8c875eff3f81b23170b349511de318d9caf7215e1b (sha256)

Warning

LINK

You are about to visit a link which has been flagged with the above content warnings. Do you wish to continue?

Cancel
Edit
Raw PDF PNG WebP JPG

Pub: 12 May 2026 18:00 UTC

Edit: 12 May 2026 18:20 UTC

Views: 9673

new· what· how· langs· contacts· login