As an avid video game collector, CEMU, is an amazing Wii U emulator that has tons of users worldwide. Through an apparent credential stealing attack from a malicious python package the attackers were able to replace two downloads, the AppImage and the Ubuntu zip package. No other releases were targeted it seems like, so Flatpak etc were safe.
From the maintainers:
From preliminary analysis it seems that mostly it is trying to spread itself rather than cause direct damage, it does that by stealing SSH keys, github tokens and a lot of other passwords or keys that they can then use to infect more packages or software releases. This is likely also how we got affected. The other Cemu author (MangleSpec/Petergov) ran software in WSL which was compromised through which they got hold of his github token. At least that is our leading theory.
It seems to stem from a Russian attacker, as if it detects Russian timezone and keyboard layout it doesn’t do anything, but if your region is Israel, then it will have a random chance to wipe your filesystem (subprocess.run(["rm", "-rf", "/*"])) every time you start the compromised software.
See [COMPROMISED] v2.6 Linux Ubuntu and AppImage release assets have been replaced (SOLVED, now restored) · Issue #1911 · cemu-project/Cemu · GitHub for more information.