This is how they take advantage of a Snap error by suggesting unverified packages 

Snap Trap

A bug in Ubuntu can lead the user to install malicious packages

Aqua Security researchers revealed Recently, through a blog post, the possibility of an attack targeting Ubuntu users, taking advantage of one of the best-known functions and also of the ignorance or carelessness of users.

And for Linux users in general, one of the most common messages that we usually find when we are in the terminal is the famous "command-not-foun." This famous message tells us that what we are requesting is not in the system (in most cases) or that we are typing something wrong.

Nobody will let me lie, it has happened to all of us, either because we believe and are sure that the package or application with which we are going to work in the terminal is in our system or simply because we inadvertently typed some letter wrong and in that moment we get the “command-not-foun”. As you all know, when this message appears we areusually makes the installation recommendation of said package that is not found. A practical example of the message would be something like this:

Command 'Firefox' not found, but can be installed with:

sudo apt install "paquete 1 recomendado"

sudo snap install "paquete malicioso"

As such, this driver provides a hint when trying to start a program that is not on the system.

Getting back to the point of the article, the iAqua Security researchers detected a problem what a radica in the way commands are evaluated to run those that are not present on the system, as it not only recommends installing packages from the standard repositories, but also snap packages from the directory when offering recommendations.

Additionally, our research indicates that up to 26% of commands associated with Advanced Package Tool (APT) packages are vulnerable to spoofing by malicious actors. This issue could pave the way for supply chain attacks affecting Linux and Windows users running WSL. This blog delves into the operational details of command-not-found, the risks associated with installing compromised snap packages, and the various attack vectors that could be exploited.

When a recommendation is made based on the contents of the directory, the driver as such it does not evaluate package status and only covers packages added to the directory by unverified users. Therefore, an attacker can place a package with hidden malicious content on, with a name that overlaps with existing DEB packages, programs that were not originally in the repository, or fictitious applications whose names reflect typos and typical errors. users when typing the names of popular utilities.

For example, An attacker can drop packets like "Firefox-123" with the expectation that the user will make mistakes when typing the names of the utilities and in this case, "command-not-found" will recommend installing the malicious packages placed by the attacker from

The user may not be aware of the problem and think that the system only recommends tested packages. Besides, An attacker can drop a package on whose name overlaps with existing DEB packages or with some attraction in the name. In this scenario, "command-not-found" will give two recommendations to install DEB and snap, and the user can choose snap, considering it safer or tempted by the new version.

Snap apps allowed by for automatic review can only run in an isolated environment. However, an attacker can take advantage of this sandbox, for example, to mine cryptocurrency, conduct DDoS attacks, or send spam.

In addition, An attacker can use isolation bypass techniques on malicious packets. This includes exploiting unpatched vulnerabilities in the kernel and isolation mechanisms, using snap interfaces to access external resources (such as hidden audio and video recordings), or capturing keyboard input when using the X11 protocol (to create keyloggers that work on a sandbox environment).

Aqua Security researchers recommend, to protect against such threats, adopt several preventive measures:

  • Users should verify the origin of a package before installation, checking the credibility of the maintainers and the recommended platform (either snap or APT).
  • Snap developers with an alias should immediately register the corresponding name if it aligns with their app to prevent misuse.
  • APT package developers are encouraged to register the snap name associated with their commands, preemptively protecting them against possible spoofing by attackers.

Finally, if you are interested in being able to know more about it, you can consult the details in the following link

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.