Attackers hijacked trusted Snap Store publishers via expired domains, allowing malicious wallet updates to reach long-time Linux users.
Blockchain security company SlowMist flagged a new Linux-based attack vector that exploits trusted applications distributed through the Snap Store to steal users’ crypto recovery seed phrases.
In a post on X, SlowMist’s chief information security officer, 23pds, said attackers are abusing expired domains to hijack long-standing Snap Store publisher accounts and distribute malicious updates through official channels.
The compromised applications reportedly impersonate popular crypto wallets, including Exodus, Ledger Live and Trust Wallet, using interfaces that closely resemble legitimate software.
