Snap Store Domain Hijacking – Poisoned Linux Packages

Attackers are exploiting domain hijacking in the Canonical Snap Store, turning trusted Linux packages into malware delivery mechanisms. This campaign represents a critical escalation in supply chain attacks against desktop and server environments.

How the Attack Works

1. Target abandoned publisher accounts:
   • When legitimate Snap publishers let their domain registrations expire, attackers purchase the lapsed domains.
2. Password reset abuse:
   • Using the hijacked domain, attackers trigger a Snap Store password reset, gaining full control of the publisher account.
3. Malicious updates:
   • Instead of creating new accounts (which might raise suspicion), attackers push malicious updates to existing, trusted applications.
   • Users updating long-installed snaps unknowingly install wallet-stealing malware.

Impact

• Fraudulent crypto apps: Fake versions of Exodus and Ledger Live steal wallet recovery phrases.
• Real-time theft: Credentials are transmitted instantly to attacker-controlled servers.
• Scale: Threat extends beyond individuals to organizations managing fleets of Linux systems, risking widespread compromise.
• Confirmed compromised domains:
  • storewise.tech
  • vagueentertainment.com
• Origin: Campaign infrastructure traced to regions near Croatia.

Why It’s Dangerous

• Trust hijack: Exploits existing publisher history and trust signals.
• False sense of security: Users cautious about new publishers are still vulnerable when old, trusted apps are poisoned.
• Supply chain risk: A single compromised Snap package can spread malware across thousands of endpoints.

Defensive Recommendations

• For Linux users:
  • Avoid installing or updating cryptocurrency-related snaps until Canonical confirms integrity.
  • Verify publisher domains and check for suspicious updates.
  • Use two-factor authentication where possible.
• For organizations:
  • Audit Snap deployments across fleets.
  • Monitor for anomalous crypto wallet activity.
  • Restrict installation of high-risk categories (wallets, financial apps).
• For Canonical (Snap Store):
  • Implement domain monitoring for publisher accounts.
  • Enforce 2FA for all publishers.
  • Verify account changes from dormant publishers before allowing updates.

Takeaway

This campaign shows how domain hijacking can weaponize trusted repositories. By exploiting expired domains, attackers bypass traditional user caution and poison long-trusted applications. Until Canonical strengthens Snap Store protections, Linux users face genuine risk from poisoned packages, especially in cryptocurrency and enterprise environments.