Malware in the official Cemu downloads (AppImage and the zip file for Ubuntu)

Posted by shroddy@reddit | linux | View on Reddit | 12 comments

From 7.5 until earlier today, the official downloads on the GitHub download page for Cemu were infected by a Malware. The Windows version and Flatpak were not affected.

https://github.com/cemu-project/Cemu/issues/1911

[-]

microry@reddit

if your region is Israel (it detects this via keyboard layout and timezone settings), then it will have a random chance to wipe your filesystem (subprocess.run(["rm", "-rf", "/*"])) every time you start the compromised software

r/chaoticgood

[-]

ICantBelieveItsNotEC@reddit

Yeah, I'm sure wiping some random Israeli gamer's PC will finally solve a centuries-old conflict!

We did it Reddit!!!

[-]

shogun77777777@reddit

I get it, the Israel government is terrible but that doesn’t mean all people living there are bad. Just like not all Americans are MAGA

[-]

Offbeatalchemy@reddit

I'm honestly disgusted that people in this subreddit thinks wiping random Israeli gamers' machines is a "good thing" and getting upvoted.

[-]

Unless the author of that post just made an example using Python APIs as the equivalent of a shell command, that Python statement doesn't do shit, because /* is part of the argument vector for the rm executable. Globbing patterns are not expanded here like your command-line shell does (by default).

python -c 'import subprocess;subprocess.run(["ls", "./*"])'
ls: cannot access './*': No such file or directory

[-]

samuerusama@reddit

that Python statement doesn't do shit

It's true, you can curl the malware from this screenshot and see the script 😹

[-]

abbidabbi@reddit

That's why immutable releases should be enabled on GitHub, to prevent release asset modifications after a release was published:
https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases

According to their AppImage build scripts, they are pulling their AppImage build tools from continuous releases from other projects on GitHub without any checks/validations, opening the door wide for further supply chain attacks:
https://github.com/cemu-project/Cemu/blob/v2.6/dist/linux/appimage.sh#L7-L14

The current AppImage release file does include an embedded signature, but it's unclear (to me) which key was used to sign it. Nothing in the build script indicates using their own keys, so this must be something else.

$ ./Cemu-2.6-x86_64.AppImage --appimage-signature
6dea727e711b09cf3e5c1c9d0cc5d44efbc750df11f8eef98b2bea93a9a143be

$ ./validate-x86_64.AppImage ./Cemu-2.6-x86_64.AppImage
Validation result: validation failed
====================
Validator report:
unexpected error

Unfortunately, GitHub has removed old actions workflow runs for the build.yml workflow, so the build logs of v2.6 can't be read, as it's over a year old (not talking about the max log retention time of 90d).

[-]

CrazyKilla15@reddit

Its why github should not be used for releases period. It is an untrustworthy and unserious corporate entity and its insane the entire open source ecosystem has trusted them with supply chain security.

To quote security expert Filippo Valsorda

Have we already moved on from the fact that the infrastructure we entrusted with basically all software supply chain security had a staggeringly simple unmitigated RCE two weeks ago?

Did GitHub publish a longer post-mortem with deep root cause analysis and long-term mitigations? Will they?

[-]