Snap Store Neglect

posted by Roy Schestowitz on Jan 22, 2026,
updated Jan 25, 2026

• SlowMist Identifies ‘Future Attack’ in Linux Store

  In a novel attack, cybercriminals exploit trust in the official Snap Store on Linux to steal seed phrases from cryptocurrency wallets. This was reported by SlowMist’s head of information security, known as 23pds.

• Cryptonews ☛ Hackers Hijack Snap Store Accounts to Push Crypto-Stealing Malware on Linux

  Rather than creating fresh accounts on the Snap Store, which is operated by Canonical, attackers are now taking over existing publisher accounts, according to a warning from Ubuntu contributor and former Canonical developer Alan Pope.

  The method relies on identifying expired web domains and email addresses linked to long-standing Snap Store developers, registering those domains, and then using the recovered access to hijack Snapcraft accounts.

• Help Net Security ☛ Linux users targeted by crypto thieves via hijacked apps on Snap Store

  Instead of creating new accounts on this Canonical-run package repository, the attackers are taking over expired web domains and associated email servers tied to existing Snap Store publishers, and using that access to hijack their Snapcraft accounts and push malicious updates to previously benign packages.

  [...]

  He advised users to be especially careful with cryptocurrency wallet snaps and consider obtaining such applications directly from official project sites rather than through any app store.

  Pope also created SnapScope, a web app that users can leverage to check whether a snap is vulnerable, suspicious or malicious before they start using them.

  Finally, he advised snap publishers to keep their domain registration current and enable two-factor authentication (2FA) for their email and Snapcraft accounts.

  Hel Net Security has reached out to Canonical to ask whether they mean to implement additional safeguards around domain ownership and account recovery and additional checks to spot malicious updates to already published snaps. We’ll update this article when we have more information to share.

Update

Late coverage:

• Linux users targeted: hackers invade Snap packages with crypto-stealing malware

  Hackers are invading Snapcraft, the central app store for Ubuntu and a major software repository for other Linux distributions. Security experts warn of cybercriminals impersonating popular cryptocurrency wallets and taking over dormant SNAP packages.

Days later:

• Linux users targeted as crypto-stealing malware hits Snap packages - here's how to stay safe

  Snapcraft is being invaded by hackers who are taking over dormant and inactive apps (‘snaps’) and using them to steal people’s cryptocurrency, experts have said.

  “There’s a relentless campaign by scammers to publish malware in the Canonical Snap Store. Some get caught by automated filters, but plenty slip through,” cybersecurity researchers at Anchore said.

And then this:

• Fake cryptocurrency wallet apps target Linux users with cryptostealers

  Cybernews reports that illicit apps spoofing the widely used cryptowallets Exodus, Trust Wallet, and Ledger Live in the Canonical Snap Store have facilitated the distribution of crypto-stealing malware against Linux users.

  Techniques used to publish the apps have increased in sophistication, with attackers most recently venturing to hijack reputable publishers' domains whose registrations had already expired, after initial attempts to use convincing storefronts and innocuous snap names were thwarted, according to an analysis by Anchore Director of Developer Relations Alan Pope.