CarderPlanet
Professional
Malicious code brought down automation in the Snap Store.
Canonical has temporarily disabled the automatic verification system for published packages in the Snap Store due to the appearance in the repository of suspicious packages with malicious code designed to steal cryptocurrency from users. At the moment, it is unclear whether the incident is related to the publication of malicious packages by third-party developers or whether there is a security problem with the repository itself, since the official statement describes the situation as a "potential security incident".
Canonical promises to provide details of the incident upon completion of the investigation. During the proceedings, the service is switched to manual review mode, where all registrations of new snap packages will be manually checked before publication. This change will not affect downloading and publishing updates for existing snap packages.
Problems were identified in the ledgerlive, ledger1, trezor-wallet, and electrum-wallet2 packages published by attackers under the guise of official packages from the developers of the marked crypto wallets, although in fact they were not related to them. Currently, problematic snap packages have already been removed from the repository and are no longer available for search and installation via the snap utility.
Canonical has temporarily disabled the automatic verification system for published packages in the Snap Store due to the appearance in the repository of suspicious packages with malicious code designed to steal cryptocurrency from users. At the moment, it is unclear whether the incident is related to the publication of malicious packages by third-party developers or whether there is a security problem with the repository itself, since the official statement describes the situation as a "potential security incident".
Canonical promises to provide details of the incident upon completion of the investigation. During the proceedings, the service is switched to manual review mode, where all registrations of new snap packages will be manually checked before publication. This change will not affect downloading and publishing updates for existing snap packages.
Problems were identified in the ledgerlive, ledger1, trezor-wallet, and electrum-wallet2 packages published by attackers under the guise of official packages from the developers of the marked crypto wallets, although in fact they were not related to them. Currently, problematic snap packages have already been removed from the repository and are no longer available for search and installation via the snap utility.
