cross-posted from: https://sopuli.xyz/post/45586653
From the Emudeck discord:
@everyone Hey everyone, apologies for the ping but since this is deemed as critical to the security of people’s devices here, I will have to. Cemu (The Wii U emulator) was recently compromised by a malicious attacker using a known developers account, this compromise took place from May 6th to May 12th, and introduces malware that is known to steal passwords, SSH keys, GitHub tokens, and likely more they are not fully aware of at this moment. We recommend anybody who is on Linux or SteamOS to go into the EmuDeck app, Manage Emulators tab, Cemu, and click Reinstall/Update, and make sure the hash of the AppImage (Located in Home/Applications, right click Cemu AppImage, go into Properties, Checksums, and Calculate the SHA256 hash) matches the non-compromised version provided by the Cemu developers, if you have used Cemu from the dates I have mentioned, and the SHA256 hash does not match what is listed, assume your system may be compromised if it was ran. If you are on Windows, MacOS, or used the Flatpak version, you are not affected by this malware. More information regarding this attack can be found here. https://rentry.org/cemu-security-psa
The specifically affected packages were:
Cemu-2.6-x86_64.AppImage
cemu-2.6-ubuntu-22.04-x64.zip
More accurate to say if you have downloaded Cemu for Linux between 6-12 May and either unzipped it or run the appimage you are assumed to be infected.
From their messag:
There are currently no known reliable traces
Isn’t a checksum of the files a reliable enough way to check? Edit: Ah yes, at the bottom of their message they do exactly that. If one executed the programs, then they are affected I assume:
If you are unsure whether your binaries are compromised here are hashes of the GOOD files:
Cemu-2.6-x86_64.AppImage 0c20c4aeb800bb13d9bab9474ef45a6f8fcde6402cad9b32ac2a1bbd03186313 (sha256)
cemu-2.6-ubuntu-22.04-x64.zip 5e4592d0dae394fa0614cb8c875eff3f81b23170b349511de318d9caf7215e1b (sha256)
I think they were saying there’s no way to trace if the malware activated or what files it affected, but you can determine if you have the infected versions by the checksums yeah.
But people kept defending appimage saying it’s safer and sandboxed and stuff. Think any will show up in replies to double down on that clearly wrong idea?
Oh no AppImage is not sandboxed, people didn’t say that. You probably mean people say Flatpak is sandboxed. And the Flatpak version here is not affected. I personally use AppImages too, knowing its not sandboxed at all and aware of the dangers. AppImage is “just” like a self extracting Zip archive, but with some extra tricks. Flatpak on the other hand is sandboxed and limits the access to your system and files, depending on the configuration of the package.
people didn’t say that
