Linux Users Targeted by Crypto Thieves via Hijacked Apps on Snap Store

The Snap Store, Canonical’s primary Linux package repository, has long been a target for malicious actors, but the latest campaign introduces a sophisticated domain‑takeover vector. By acquiring lapsed domains tied to legitimate publishers, thieves inherit Snapcraft credentials and push covert updates that masquerade as harmless applications. This bait‑and‑switch technique bypasses traditional name‑based filters, allowing crypto‑stealing code to infiltrate users’ systems silently, often extracting wallet recovery phrases before victims notice any irregularities.

For Linux users, the implications are twofold: first, the perceived safety of curated app stores is undermined, and second, the financial stakes rise as cryptocurrency adoption expands. While Canonical’s swift removal of identified malicious snaps demonstrates a reactive defense, the lag between report and takedown leaves a window of exposure. Security professionals recommend verifying snap sources directly from project websites and employing tools like SnapScope, which scans package metadata for suspicious changes, offering an additional layer of pre‑install scrutiny.

Looking ahead, the Snap ecosystem must adopt proactive safeguards to restore confidence. Monitoring domain expiration, enforcing mandatory two‑factor authentication for publisher accounts, and instituting rigorous review of snap revisions could curb future hijacks. Moreover, a transparent audit trail for snap updates would enable rapid community detection of anomalies. As Linux continues its ascent in enterprise and developer circles, reinforcing these security pillars is critical to protecting both user assets and the broader open‑source software supply chain.