-640x358.jpg&w=1200&q=75)
Blockchain security firm SlowMist has flagged a Linux-based attack exploiting trusted apps distributed through the Snap Store.
The attack targets users’ crypto recovery seed phrases by pushing malicious wallet updates through hijacked publisher accounts.
SlowMist chief information security officer 23pds said attackers abuse expired domains to take control of long-standing Snap Store publishers.
Compromised applications impersonate popular crypto wallets, including Exodus, Ledger Live and Trust Wallet.
The malicious apps prompt users to enter recovery phrases, allowing attackers to drain funds without detection.
The Snap Store is the official Linux app marketplace for distributing snap-packaged software.
SlowMist said attackers monitor developer accounts linked to domains that later expire.
Once expired, attackers re-register the domains and reset publisher credentials using linked email addresses.
This allows malicious updates to be pushed to existing users rather than through new installations.
SlowMist confirmed that publisher domains storewise.tech and vagueentertainment.com were compromised.
The firm said the attack reflects a broader shift toward supply-chain exploits in crypto-related security breaches.
CertiK data showed crypto hack losses reached $3.3 billion in 2025 despite fewer overall incidents.