Do Son 
A disturbing new tactic has emerged in the Linux software ecosystem, turning trusted developer accounts into vehicles for malware. Alan Pope, Director of Developer Relations at Anchore and a former Canonical engineering manager, has issued a stark warning about a “relentless campaign” targeting the Canonical Snap Store.
Scammers are no longer just uploading fake apps; they are hijacking legitimate ones by seizing the expired domains of dormant developers.
The attack vector is as simple as it is effective. The Snap Store, which hosts over 7,000 applications for Linux users, allows developers to publish updates to their packages. However, if a developer abandons their project and lets their email domain lapse, attackers can swoop in.
“They’re now registering expired domains belonging to legitimate snap publishers, taking over their accounts, and pushing malicious updates to previously trustworthy applications,” Pope writes in his analysis.
Once the attackers control the domain, they can reset the password for the associated Snap Store account and push a compromised update to thousands of unsuspecting users who effectively “trusted” the original author.
This escalation is particularly damaging because it preys on the reputation of established developers. Users who installed a safe app years ago are suddenly auto-updated to a malicious version without any red flags.
“The domain takeover angle is particularly concerning because it undermines one of the few trust signals users had: publisher longevity,” Pope notes.
The primary goal of these hijackings appears to be financial theft. The report highlights cryptocurrency wallets as a major danger zone. Pope advises users to “be extremely cautious with cryptocurrency wallet applications from any source, not just the Snap Store”.
His recommendation is blunt: “Actually, scratch that – just don’t install crypto wallet apps from app stores at all. Get them directly from the official project websites”.
Pope, who still maintains nearly 50 packages in the store himself, is calling on Canonical to implement stricter safeguards, such as monitoring for domain expiry or requiring two-factor authentication for dormant accounts.
For now, the defense relies on vigilance. “If you’re a snap publisher: keep your domain registration current, and enable two-factor authentication if you haven’t already,” he urges. “Your lapsed domain could become someone else’s attack vector”.
Related Posts:
- Microsoft releases Skype snap installation package for Linux
- Windows Security Alert: Secure Boot Certificates Expiring in 2026, Update Now
- CVE-2024-1724: Snap Sandbox Escape Vulnerability Threatens Linux Systems
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
