SlowMist flags Linux Snap Store attack targeting crypto seed phrases

SlowMist, a leading blockchain security firm, has issued a critical security alert warning Linux users about a sophisticated malware campaign exploiting the Ubuntu Snap Store. The attack is specifically designed to identify and steal cryptocurrency seed phrases and private keys from victims.

The exploit involves malicious actors uploading trojanized applications, often disguised as cracked software or legitimate utility programs, to the official Snap repository. Once installed and executed by a user, the hidden malware silently initiates a scan of the Linux file system. The code is programmed to search for common file paths, directories, and file extensions where users typically store cryptographic material, including plaintext seed phrase backups or wallet configuration files associated with popular applications like Exodus, Ledger Live, and various command-line wallets.

Upon locating a seed phrase (the 12- or 24-word recovery phrase), the data is immediately exfiltrated to an external command-and-control (C2) server controlled by the attackers, granting them full control over the user’s cryptocurrency assets.

SlowMist emphasizes that the danger lies in the inherent trust users place in official application repositories like the Snap Store. While Canonical attempts to vet submissions, this campaign highlights how supply-chain attacks can bypass automated security checks.

Users are strongly advised to verify the authenticity and publisher of any application installed via Snap, especially those related to cryptocurrency or finance. Furthermore, storing digital seed phrases on any internet-connected computer remains a significant security risk, and the use of dedicated hardware wallets or secure, offline storage is recommended.

Source: SlowMist flags Linux Snap Store attack targeting crypto seed phrases