Snap Store, a centralized application repository for distributing snap packages operated by Canonical, allows developers to publish applications with relatively low barriers to entry, while users can install and update software automatically through a single trusted channel. However, that trust is now under strain.

In a blog post, Alan Pope, a longtime Ubuntu community figure and former Canonical employee who remains an active Snap publisher, maintaining nearly 50 snaps with thousands of users, warns of a worrying trend affecting Snap packages. Here’s what it’s all about.

For more than a year, Pope and other security professionals have documented a persistent campaign of malicious snaps impersonating cryptocurrency wallet applications. These fake apps typically mimic well-known projects such as Exodus, Ledger Live, or Trust Wallet, prompting users to enter wallet recovery phrases, which are then transmitted to attackers, resulting in drained funds.

  • ultimate_worrier@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    I’d say NixOS is safe from this but that’s probably not true. (Malicious nixpkgs derivations haven’t happened yet AFAIK). However, GUIX almost certainly is safe from this for now due to their “build the world from source” philosophy coupled with their obscurity.

    • Auth@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      If the attacker controlled the domain wouldnt they control the source?

      • ultimate_worrier@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        Yes. But content-addressed derivations go a long way toward mitigating that attack vector, IMO. Not sure how far along GUIX is in ca, though. So perhaps it’ll help nixpkgs to have a sandboxed machine that generates hashes for that.

    • tomenzgg@midwest.social
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      I one time got an E-mail claiming my computer had been hacked and they’d installed monitoring software in my root/system location and I was like, “In my /gnu/store? Doubtful…”

    • kumi@feddit.online
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      Everything in there is relevant and applies to flatpaks too. Being aware of the risks is important when using alternative distribution methods. With power, responsibility.

  • grue@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    Sure is a good thing Ubuntu doesn’t sometimes sneakily install a Snap when you try to use apt to install a package, such as with Firefox. Tricking users into using Snap without realizing it, making them unknowingly vulnerable to exploits like this, would be really really bad and unethical on Canonical’s part.

    • kumi@feddit.online
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      Juat so nobody is confused or gets afraid of their install: Getting the Firefox snap installed via Ubuntus apt package does not make users vulnerable to what is talked about here.

      The post is about third-party fake snaps. If you run a snap install command from a random web site or LLM wkthout checking it, or making a typo, then you may be

  • morto@piefed.social
    link
    fedilink
    English
    arrow-up
    0
    ·
    6 months ago

    That one was to counterbalance the pattern of good news I mentioned in another thread >.<