Attackers have hijacked trusted Snap Store publishers via expired domains, allowing malicious wallet updates to reach long-time Linux users.