Slashdot Mirror
Malware Found In the Ubuntu Snap Store (linuxuprising.com)
An anonymous reader quotes a report from Linux Uprising: Oh, snap! Just because some packages are available to install directly from the Ubuntu Software Center doesn't make them safe. This is proved by a recent discovery of malware in some snap packages from the Ubuntu Snaps Store.
At least two of the snap packages, 2048buntu and hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, "pending further investigations." The report comes from a bug which mentions that the 2048buntu snap package (and other packages by Nicolas Tomb) contains a hidden cryptocurrency miner inside.
At least two of the snap packages, 2048buntu and hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, "pending further investigations." The report comes from a bug which mentions that the 2048buntu snap package (and other packages by Nicolas Tomb) contains a hidden cryptocurrency miner inside.
With all dependencies built in, there is a lot to comb through, not to mention that those dependencies may not even be completely patched and up to date.
I'd rather install software the traditional way and be sure that each component I install is verified.
How's this surprising. These containerized applications are full userland stacks, all the libs and dependencies the program needs, and then some, wrapped up. It's so easy to hide malware there, and so very difficult to audit them before inclusion, because their very raison d'etre is --- to avoid maintainership and allow "third party" vendors to distribute their mini-distros around.
Is anyone REALLY surprised by this?