- cross-posted to:
- security@programming.dev
- cross-posted to:
- security@programming.dev
Aqua Nautilus researchers have identified a security issue that arises from the interaction between Ubuntu’s command-not-found package and the snap package repository. While command-not-found serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages.
Seems like the problem is more that they allowed random unverified apps to be uploaded in the first place rather than the suggestion prompt. Even then this seems like a good reason to not recommend unverified sources by default.