Snap Store Compromised: ‘Domain Resurrection’ Attack Pushes Malware to Linux Crypto Wallets
Attackers are buying expired developer domains to hijack trusted Linux Snap Store accounts and push auto-updates containing wallet-draining malware.
The Lede
A sophisticated supply chain attack has hit the Linux Snap Store, with cybercriminals hijacking legitimate publisher accounts to push wallet-draining malware to users. Alan Pope, a former Canonical engineer, identified the vector as “domain resurrection”. Attackers are purchasing expired domains linked to dormant Snapcraft developer accounts, resetting passwords, and deploying malicious updates to previously trusted applications.
The Mechanism: Trusted Accounts, Malicious Updates
This attack vector marks a critical escalation from typical “fake app” spam. Instead of creating new accounts that might flag review filters, attackers are seizing control of accounts with established histories.
According to Pope’s forensic analysis, the attackers targeted domains such as storewise.tech and vagueentertainment.com. Once these domains lapsed, the attackers registered them, triggered a password reset on the associated Snapcraft accounts, and gained full publishing rights. The result? Users who installed a benign app years ago received an automatic update containing code designed to exfiltrate seed phrases from Exodus, Ledger Live, and Trust Wallet implementations.
The domain takeover angle is particularly concerning because it undermines one of the few trust signals users had: publisher longevity. Alan Pope
Institutional Context
This breach highlights a systemic vulnerability in decentralized package repositories where publisher identity is tied solely to email domains without persistent authentication checks (like mandatory 2FA or activity audits). While Canonical has removed the identified malicious snaps, the vector remains open for any of the store’s thousands of dormant publishers.
Market Reaction: Trust Wallet Token (TWT) traded softly at $0.87 (-6%), likely tracking broader market weakness rather than this specific Linux-vector news. However, security analysts advise Linux users to immediately uninstall crypto-related Snaps and source binaries directly from official project GitHubs or websites.
