Aqua Nautilus researchers have identified a security issue that arises from the interaction between Ubuntu’s command-not-found package and the snap package repository. While command-not-found serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages.
Wait… Snap packages aren’t manually verified? Why Canonical? Doesn’t every other Linux package manager have their main packages repository manually vetted?
Neither Canonical"s Snapstore, nor Flathub manually verify apps. They’re both similar to the Play Store or App Store where it’s managed by the app developer.
Flathub has manual reviews during initial submission though. Also they’re working on automatically needing a manual review when e.g. new permissions are granted to apps