Snap Store, a centralized application repository for distributing snap packages operated by Canonical, allows developers to publish applications with relatively low barriers to entry, while users can install and update software automatically through a single trusted channel. However, that trust is now under strain.
In a blog post, Alan Pope, a longtime Ubuntu community figure and former Canonical employee who remains an active Snap publisher, maintaining nearly 50 snaps with thousands of users, warns of a worrying trend affecting Snap packages. Here’s what it’s all about.
For more than a year, Pope and other security professionals have documented a persistent campaign of malicious snaps impersonating cryptocurrency wallet applications. These fake apps typically mimic well-known projects such as Exodus, Ledger Live, or Trust Wallet, prompting users to enter wallet recovery phrases, which are then transmitted to attackers, resulting in drained funds.
I’d say NixOS is safe from this but that’s probably not true. (Malicious nixpkgs derivations haven’t happened yet AFAIK). However, GUIX almost certainly is safe from this for now due to their “build the world from source” philosophy coupled with their obscurity.
Except if you use a third-party channel for some software, in which case you get all the same problems again.
I one time got an E-mail claiming my computer had been hacked and they’d installed monitoring software in my root/system location and I was like, “In my
/gnu/store? Doubtful…”If the attacker controlled the domain wouldnt they control the source?
Yes. But content-addressed derivations go a long way toward mitigating that attack vector, IMO. Not sure how far along GUIX is in ca, though. So perhaps it’ll help nixpkgs to have a sandboxed machine that generates hashes for that.