Backdoored Cemu release linked to TanStack and Mistral supply chain campaign

Datadog Security Labs documents a coordinated supply-chain campaign that within hours poisoned npm and PyPI packages and replaced Linux release assets on the official cemu-project/Cemu GitHub release, distributing a backdoored AppImage and Ubuntu zip bundling a Python zipapp (startup.pyz/transformers.pyz). The payload targets Linux hosts, harvests AWS/Azure/GCP/Kubernetes and local credentials, installs persistence as a systemd service, exfiltrates to C2 83.142.209.194 (with GitHub- and repo-based fallback), and contains a geofenced destructive component; IOCs including SHA256 hashes and the C2 IP are provided.