PSA: If you installed and launched/ran Cemu (WiiU emulation) within the last week you need to check that you have the safe version and did not inadvertently install one of 2 malware versions.
>https://old.reddit.com/r/cemu/comments/1tbbusq/security_psa_linux_malware_from_cemu_official/
>
>>Windows, MacOSX and the Flatpak are unaffected.
>>
>>The compromised releases are:
>>
>>Cemu-2.6-x86_64.AppImage
>>
>>cemu-2.6-ubuntu-22.04-x64.zip
>
>SAFE SHA256 checksum:
>
>Cemu-2.6x86_64.AppImage 0c20c4aeb800bb13d9bab9474ef45a6f8fcde6402cad9b32ac2a1bbd03186313
>
>cemu-2.6-ubuntu-22.04-x64.zip5e4592d0dae394fa0614cb8c875eff3f81b23170b349511de318d9caf7215e1b
>
>Infected SHA256 / Checksums:
>
>sha256: f140e76236b96adf7cdc796227af9808665143bc674debb77729fa3e4b8327cc
>
>sha256: d07a29c4458d00e42d5d9e6345932592e91644d6b821bacdb7a543c628e0b41a
>
>KDE: (Right-click your CemuApp Image -> Properties -> Checksum -> SHA256 button).
>
>If you've run either (f140e or d07a29) to play some games or configure you may want to consider reinstalling your system if you've got any sensitive information, passwords or any of that in use. You're most likely safe if you didn't run the infected releases, but if you've updated and run Cemu recently, you're going to want to make sure you're in the clear, because if you're not then a reinstall may not be the worst idea.
>
>>From preliminary analysis it seems that mostly it is trying to spread itself rather than cause direct >damage, it does that by stealing SSH keys, github tokens and a lot of other passwords or keys that >they can then use to infect more packages or software releases.
>>
>>This is likely also how we got affected. The other Cemu author (MangleSpec/Petergov) ran software >in WSL which was compromised through which they got hold of his github token. At least that is our >leading theory.
>>
>>HOWEVER if your region is Israel (it detects this via keyboard layout and timezone settings), then it >will have a random chance to wipe your filesystem (subprocess.run(["rm", "-rf", "/*"])) every time you >start the compromised software.
>>
>>So my immediate advice is this:
>>
>>>Delete the compromised Cemu files (Cemu-2.6-x86_64.AppImage and cemu-2.6-ubuntu-22.04-x64.zip). Note: You are not affected if you downloaded before 6th May.
>>>Reset all your passwords, ssh keys and service tokens
>>>Block IP 83.142.209.194 just in case. This is hardcoded and used as a remote endpoint
>>
>>Source: ExZap - https://github.com/cemu-project/Cemu/issues/1911
>
>>Windows, MacOSX and the Flatpak are unaffected.
>>
>>The compromised releases are:
>>
>>Cemu-2.6-x86_64.AppImage
>>
>>cemu-2.6-ubuntu-22.04-x64.zip
>
>SAFE SHA256 checksum:
>
>Cemu-2.6x86_64.AppImage 0c20c4aeb800bb13d9bab9474ef45a6f8fcde6402cad9b32ac2a1bbd03186313
>
>cemu-2.6-ubuntu-22.04-x64.zip5e4592d0dae394fa0614cb8c875eff3f81b23170b349511de318d9caf7215e1b
>
>Infected SHA256 / Checksums:
>
>sha256: f140e76236b96adf7cdc796227af9808665143bc674debb77729fa3e4b8327cc
>
>sha256: d07a29c4458d00e42d5d9e6345932592e91644d6b821bacdb7a543c628e0b41a
>
>KDE: (Right-click your CemuApp Image -> Properties -> Checksum -> SHA256 button).
>
>If you've run either (f140e or d07a29) to play some games or configure you may want to consider reinstalling your system if you've got any sensitive information, passwords or any of that in use. You're most likely safe if you didn't run the infected releases, but if you've updated and run Cemu recently, you're going to want to make sure you're in the clear, because if you're not then a reinstall may not be the worst idea.
>
>>From preliminary analysis it seems that mostly it is trying to spread itself rather than cause direct >damage, it does that by stealing SSH keys, github tokens and a lot of other passwords or keys that >they can then use to infect more packages or software releases.
>>
>>This is likely also how we got affected. The other Cemu author (MangleSpec/Petergov) ran software >in WSL which was compromised through which they got hold of his github token. At least that is our >leading theory.
>>
>>HOWEVER if your region is Israel (it detects this via keyboard layout and timezone settings), then it >will have a random chance to wipe your filesystem (subprocess.run(["rm", "-rf", "/*"])) every time you >start the compromised software.
>>
>>So my immediate advice is this:
>>
>>>Delete the compromised Cemu files (Cemu-2.6-x86_64.AppImage and cemu-2.6-ubuntu-22.04-x64.zip). Note: You are not affected if you downloaded before 6th May.
>>>Reset all your passwords, ssh keys and service tokens
>>>Block IP 83.142.209.194 just in case. This is hardcoded and used as a remote endpoint
>>
>>Source: ExZap - https://github.com/cemu-project/Cemu/issues/1911