Linux Users Alert: Snap Store Under Attack via Expired Domain Takeovers
Linux Users Alert: Snap Store Under Attack via Expired Domain Takeovers
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Linux Users Alert: Snap Store Under Attack via Expired Domain Takeovers
A new supply chain attack method is exploiting expired domains to hijack trusted publisher accounts in Canonical’s Snap Store, turning legitimate applications into cryptocurrency-stealing malware.
On January 17, 2025, Alan Pope, a former Canonical employee and prominent Ubuntu community figure who maintains nearly 50 Snap applications, issued a stark warning about an evolving threat targeting Linux users.
The Snap Store, operated by Canonical (the company behind Ubuntu), is facing a sophisticated supply chain attack that exploits a critical weakness in how publisher accounts are verified and maintained.
When and Why You Need Antivirus on Linux (and How to Install ClamAV)
The Evolution of the Attack
For over a year, security professionals have documented a persistent campaign of malicious Snap packages impersonating cryptocurrency wallet applications. Earlier iterations relied on creating new publisher accounts with convincing storefronts, which were relatively easy to identify and remove. However, attackers have now shifted tactics to monitor the Snap Store for publishers whose associated domain names have expired.
The attack methodology is disturbingly straightforward. When a domain previously used by a legitimate Snap publisher expires, attackers immediately register it. They then use the email address associated with that domain to trigger a password reset in the Snap Store, effectively taking control of an established, trusted publisher account without raising suspicions.
This represents a significant escalation because it undermines one of the few trust signals users had: publisher longevity. Applications that users installed years ago and have trusted through countless updates can suddenly become malware distribution channels through what appears to be a routine update.
Essential Security Measures to Implement Immediately After Linux OS Installation
Confirmed Cases and Attack Pattern
Pope has identified at least two publisher domains that have been compromised using this method: storewise.tech and vagueentertainment.com. The compromised applications typically masquerade as well-known cryptocurrency wallets such as Exodus, Ledger Live, or Trust Wallet, with interfaces that closely resemble the legitimate software.
The malicious applications follow a consistent pattern. Upon launch, they contact a remote server to verify network connectivity before proceeding. Once operational, they prompt users to enter their wallet recovery phrases for supposed account recovery or verification. When users submit these sensitive credentials, the information is immediately transmitted to the attackers’ servers. By the time the deception becomes apparent, the wallet contents are typically already gone.
The financial stakes are substantial. In one documented case from 2024, a single victim lost $490,000 worth of Bitcoin to a fake Exodus wallet application distributed through the Snap Store.
Six Free Antivirus Solutions for Linux OS
The Enforcement Gap
While Canonical does remove malicious applications once they are reported, Pope notes a critical problem: enforcement often lags behind discovery. During this window, malicious updates remain available and can affect numerous users. The reliance on reactive measures rather than proactive prevention creates a persistent vulnerability that attackers are systematically exploiting.
Pope, who has been tracking this issue since early 2024 and recently developed a monitoring tool called SnapScope, emphasizes that while he remains sympathetic to Canonical’s engineers, the current situation is unsustainable. The company already implements manual review processes for new Snap name registrations, but these measures do not address the domain resurrection attack vector.
Why servers with Linux OS are much more than Windows server?
Industry Context: Other Platforms Taking Action
The Snap Store is not alone in facing domain resurrection attacks, but its response has been notably slower than other package repositories.
The Python Package Index (PyPI) implemented automated domain monitoring in June 2025, unverifying over 1,800 email addresses associated with domains entering expiration phases.
This proactive approach demonstrates that technical solutions to the problem exist and are being deployed elsewhere in the software ecosystem.
Linus Torvalds on Linux Security Modules: We Have Too Many Of Those Pointless Things
Recommendations for Protection
Security experts have issued recommendations for both developers and users to mitigate these risks.
For Snap publishers and developers:
- Ensure domain registrations remain current with timely renewals
- Enable two-factor authentication (2FA) on publisher accounts to add an additional security layer
- Be aware that expired domains can become attack vectors even after ceasing active development
For users, especially those dealing with cryptocurrency:
- Exercise extreme caution with wallet applications from any app store, including the Snap Store
- Verify publisher information and check when applications were last updated
- Avoid installing cryptocurrency wallet software through app stores entirely; instead, download directly from official project websites to bypass supply chain risks
- If something seems suspicious, trust your instincts and investigate further before entering sensitive information
20 Essential Cybersecurity Tools Every Security Professional Should Know
The Path Forward
The situation highlights broader challenges in maintaining trust and security in open application distribution platforms. While Canonical faces the difficult task of balancing accessibility with security, the current state leaves users vulnerable to attacks that exploit systematic weaknesses rather than requiring sophisticated technical exploits.
Potential solutions include monitoring domain expiration for publisher accounts, requiring additional verification for dormant accounts, implementing mandatory two-factor authentication, or combining multiple security measures. Whatever approach Canonical chooses, the urgency is clear: without significant changes to the Snap Store’s security architecture, users will continue to face risks from attackers who have found a reliable method to hijack trusted distribution channels.
As Linux continues to grow in desktop market share and cryptocurrency adoption remains widespread, the convergence of these factors makes the Snap Store an increasingly attractive target. The responsibility now falls on Canonical to implement the technical safeguards necessary to protect its users and restore confidence in the platform’s security.
This article is based on security research published by Alan Pope on January 17, 2025, and verified through multiple independent security sources.
