TeamPCP backdoored the Cemu 2.6 Linux release assets

Roughly 21,000 Linux users who downloaded the popular Wii U emulator Cemu between May 7 and May 12, 2026 instead received a trojanized build that installed a credential stealer disguised as a PostgreSQL monitoring agent, according to maintainer disclosures and follow-on research from Datadog Security Labs.

Cemu is the leading open-source Wii U emulator. Its 2.6 release was tagged on February 6, 2026, with the original assets uploaded by GitHub's github-actions[bot]. On May 7 at 22:55 UTC, a long-time co-author with the GitHub handle MangelSpec replaced the Ubuntu zip, cemu-2.6-ubuntu-22.04-x64.zip. Roughly three hours later, at 01:41 UTC on May 8, the same account replaced the Linux AppImage. The Windows zip, the macOS dmg, the v2.6 git tag, and the Flatpak build were left untouched. The release page continued to display the original February publication date, so a casual visitor saw what looked like a four-month-old release with current assets.

The compromise surfaced publicly on May 12 as issue #1911 in the cemu-project/Cemu repository. By then the malicious AppImage had been downloaded 19,897 times and the Ubuntu zip 1,957 times, per GitHub release metadata. Maintainers later traced the entry point to a malicious binary MangelSpec had executed inside Windows Subsystem for Linux, which leaked the GitHub credentials he used for release uploads. Because the Linux assets had no CI provenance, a contributor with upload rights could overwrite them directly.

Both backdoored archives bundled a Python zipapp called startup.pyz. Datadog said the payload, on execution, wrote a pgmonitor.py file and registered it as a systemd service named pgsql-monitor.service — a name chosen to read as a benign database tool. The collector targeted SSH keys, GitHub tokens, AWS Secrets Manager and SSM, Azure Key Vault, GCP Secret Manager, Kubernetes secrets, HashiCorp Vault, and local password-manager state. Stolen material was POSTed to 83.142.209.194/v1/weights, with a fallback resolver that pulled RSA-signed C2 addresses out of public GitHub commits tagged FIRESCALE. The malware ran only on Linux, skipped systems using a Russian locale, and required more than four CPU cores to proceed. A "roulette" routine in the code inspected the locale for Israeli and Iranian indicators and, on a one-in-six roll, played an audio file and executed rm -rf across the filesystem.

Datadog noted that the C2 address and the pgsql-monitor.service persistence reappeared eight days later in the compromise of Microsoft's durabletask PyPI package (see [[durabletask-pypi]]) and lined up with the broader May 11 wave that hit roughly 170 npm and PyPI packages in a five-hour window. The cross-ecosystem aggregate lives on [[shai-hulud-here-we-go-again]].

The Cemu project removed the malicious assets, restored the originals, and posted a notice through rentry.org. Users who downloaded but never ran the archives were told they were not at risk; users who executed them were told to treat the host as fully compromised and rotate every credential reachable from the machine. A group calling itself TeamPCP claimed responsibility for the operation. Datadog declined to assess the claim.

Motive

Credential Theft Data Exfiltration

Attribution

Group

Cause

Compromised Account Credentials

Transitive

No

Actor

TeamPCP

User Impact

21854

• Locationdistribution: github.com/cemu-project/Cemu/releases/tag/v2.6
• Locationmirror: github.com/cemu-project/Cemu/issues/1911
• filestartup.pyz
• filetransformers.pyz
• filepgmonitor.py
• filepgsql-monitor.service
• ipv483.142.209.194
• urlhttp://83.142.209.194/v1/weights
• tagFIRESCALE
• accountMangelSpec
• Hashsha256:d07a29c4458d00e42d5d9e6345932592e91644d6b821bacdb7a543c628e0b41a
• Hashsha256:f140e76236b96adf7cdc796227af9808665143bc674debb77729fa3e4b8327cc
• Hashsha256:0f35abda19fb69430c32228465396094b866d887427bf551e353ab31256a9dd6

• Download counts are point-in-time figures from GitHub release metadata at disclosure on 2026-05-12, with 19,897 for the AppImage and 1,957 for the Ubuntu zip. The impact users field is the sum and represents downloads, not confirmed executions.
• The original v2.6 release was tagged on 2025-02-06 by github-actions[bot]. Only the Linux release assets were replaced; the git tag, source archive, Windows zip, macOS dmg, and Flatpak build were unchanged.
• Maintainers attribute the MangelSpec account compromise to malicious software the co-author ran inside WSL, which exposed GitHub credentials.
• The C2 address 83.142.209.194 and the pgsql-monitor.service persistence are shared with the durabletask PyPI compromise on 2026-05-19, tying this incident to TeamPCP's Mini Shai-Hulud activity.

• Backdoored Cemu Release in TeamPCP Supply Chain Campaign - Datadog Security Labssecuritylabs.datadoghq.com
• Cemu Linux Release Assets Backdoored with TeamPCP Malware - Corgeacorgea.com
• Popular emulator Cemu was recently compromised with malware in Linux downloads - GamingOnLinuxgamingonlinux.com
• 20,000 Linux users grabbed a malicious Cemu build that steals passwords and cloud credentials - XDAxda-developers.com
• Popular Wii U emulator Cemu has been offering compromised downloads for days - Neowinneowin.net
• Linux users affected by malicious Cemu build with password theft - The Geek Insightsthegeekinsights.com
• Cemu Emulator Linux Malware - GitHub Security Breach 2026 - Security Onlinesecurityonline.info