Aqua Nautilus researchers have identified a security issue that arises from the interaction between Ubuntu’s command-not-found package and the snap package repository. While command-not-found serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages.

  • penquin
    link
    fedilink
    arrow-up
    2
    ·
    9 months ago

    That’s messed up. I’m going to stay away from them for sure.

    • merthyr1831@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      9 months ago

      FWIW Flatpak also does it automated, but as others said they manually verify new entries, and since it’s such a widely adopted standard there’s less opportunity to name-squat a popular app that isn’t already available.

      I don’t know what flatpak does to stop, say, someone releasing a legit/dummy app to pass manual verification before replacing it with a malicious app and a new name, so can’t comment on how effective their security is beyond the initial release