Cemu 2.6 Security Check: Is Your Steam Deck Affected?
A compromised Cemu 2.6 briefly distributed malware through Linux AppImage and Ubuntu builds. Here's how to check whether your Steam Deck may have been affected.
I rarely open my Steam Deck these days.
Not because I’m bored with it, but because there isn’t much time left for gaming after taking care of other responsibilities. That’s a little sad, honestly.
This Friday night, I finally had some free time and decided to continue playing one of my favorite games. Since it had been a while, I switched to Desktop Mode and started updating my Flatpaks and EmuDeck installation.
While waiting for the updates to finish, I browsed a few Steam Deck communities to see what was new. That’s when I discovered that Cemu Emulator 2.6—specifically the AppImage release—had been compromised in a supply-chain malware attack.
I froze.
I use Cemu regularly. What if my Steam Deck had already been compromised?
I immediately stopped the update process. Fortunately, it looked like my Cemu installation hadn’t been updated yet.
Still, I was concerned enough to investigate whether my Steam Deck showed any signs of compromise.
- The Malware that Shipped with Cemu 2.6
- How Do I Check If I Am Compromised?
- Final Thoughts
- References
The Malware that Shipped with Cemu 2.6
Based on the Security PSA from the Cemu team, here’s what we know so far:
It has come to our attention that from 6th May to today (12th May) the AppImage and Ubuntu zip assets of Cemu 2.6 on our github were compromised by a pro-Russian threat actor. If you are a Windows or MacOS user you are not affected. If you are a flatpak user you are also not affected.
These are the compromised releases:
Cemu-2.6-x86_64.AppImagecemu-2.6-ubuntu-22.04-x64.zip
Consequently, your system is likely compromised only if you downloaded one of those files between May 6 and May 12 2026 from the Cemu GitHub page. This also affects third-party launchers, such as EmuDeck, which download directly from the Cemu repository.
The good news is, as of the writing of their Security PSA, the compromised releases have been removed from the GitHub repository and restored to their safe versions.
How Do I Check If I Am Compromised?
Sadly, there are currently no known reliable traces that you can check for. But, you can still take some actions to check if you are likely unaffected.
1. Check the Cemu Download Date
Always assume that you are affected if you downloaded the emulator between May 6, 2026 and May 12, 2026. If you are using a Steam Deck, you can check the installation date by using the following bash script:
ls -lah ~/Applications/ | grep CemuHere’s the example output from my Steam Deck:
-rwxr-xr-x 1 deck deck 59M Jan 1 20:46 Cemu.AppImageBased on my output, it was downloaded on January 1, 2026. So, I am safe for now.
2. Check the SHA-256 Hash
If you want to verify that your downloaded binary is safe, you can check its SHA-256 hash.
For Steam Deck users, you can run the following command in a terminal:
shasum -a 256 ~/Applications/Cemu.AppImageThe official release files should have the following SHA-256 hashes:
-
Filename:
Cemu-2.6-x86_64.AppImage -
SHA-256:
0c20c4aeb800bb13d9bab9474ef45a6f8fcde6402cad9b32ac2a1bbd03186313 -
Filename:
cemu-2.6-ubuntu-22.04-x64.zip -
SHA-256:
5e4592d0dae394fa0614cb8c875eff3f81b23170b349511de318d9caf7215e1b
Here is an example output from my Steam Deck:
0c20c4aeb800bb13d9bab9474ef45a6f8fcde6402cad9b32ac2a1bbd03186313 /home/deck/Applications/Cemu.AppImageThis is a perfect match for the SHA-256 reference above, so I can be more confident that the file has not been compromised. I feel safer now.
3. Check Specific Files and Directories
There are other indicators that your system has been compromised. Based on the Cemu team’s investigation, the malware created the following files and directories:
/tmp/.transformers/usr/bin/pgmonitor.py~/.local/bin/pgmonitor.py/etc/systemd/system/pgsql-monitor.service~/.config/systemd/user/pgsql-monitor.service/tmp/kubectl
But, there is no guarantee that you are safe just because these files and directories do not exist.
You can use the following bash script to check if these paths exist:
for path in \
/tmp/.transformers \
/usr/bin/pgmonitor.py \
~/.local/bin/pgmonitor.py \
/etc/systemd/system/pgsql-monitor.service \
~/.config/systemd/user/pgsql-monitor.service \
/tmp/kubectl
do
if [ -e "$path" ]; then
printf "EXISTS: %s\n" "$path"
else
printf "NOT FOUND: %s\n" "$path"
fi
doneOr, if you prefer a one-liner, you can use this:
for p in /tmp/.transformers /usr/bin/pgmonitor.py ~/.local/bin/pgmonitor.py /etc/systemd/system/pgsql-monitor.service ~/.config/systemd/user/pgsql-monitor.service /tmp/kubectl; do [ -e "$p" ] && echo "EXISTS: $p" || echo "NOT FOUND: $p"; doneThe expected output should show all of them as NOT FOUND, like this output from my Steam Deck:
NOT FOUND: /tmp/.transformers
NOT FOUND: /usr/bin/pgmonitor.py
NOT FOUND: /home/deck/.local/bin/pgmonitor.py
NOT FOUND: /etc/systemd/system/pgsql-monitor.service
NOT FOUND: /home/deck/.config/systemd/user/pgsql-monitor.service
NOT FOUND: /tmp/kubectlIf you see all of them listed as NOT FOUND, you are potentially safe. But, as I mentioned earlier, you are still not 100% guaranteed to be clear.
4. Check for the Upstream IP Address
The malware also attempts to send data to this IP address: 83.142.209.194.
You can monitor your network using a tool like Wireshark to check if any active processes are sending data to that specific IP address.
It is also better to simply block the address entirely, even if you aren’t compromised.
Final Thoughts
These are currently the most practical checks available to determine whether your Steam Deck may have been affected by the compromised Cemu 2.6 releases.
Keep in mind that none of these checks can guarantee that a system is completely clean. But, if you didn’t download the affected builds during the compromise window and none of the known indicators are present, that’s reassuring.
If you’re still concerned, you can back up your important files and perform a factory reset as a last resort.
As always, if you’ve found additional indicators or better verification methods, feel free to share them.
Thanks for reading, and see you next time!
