New Exploit Bypasses Code Integrity to Backdoor Signal, 1Password, Slack, and More

A new security exploit has been discovered that lets attackers slip malicious code into widely used desktop applications including Signal, 1Password, Slack, and Google Chrome by evading built-in code integrity checks.

The vulnerability, tracked as Electron CVE-2025-55305, affects nearly every app built on the Chromium engine when they use Electron, a popular framework for making cross-platform desktop software with web technologies.

At Trail of Bits, security researcher Shadow examined how Electron’s integrity controls work. Electron provides “fuses” to verify that an app’s JavaScript files match exactly what the developer packaged.

These fuses—EnableEmbeddedAsarIntegrityValidation and OnlyLoadAppFromAsar—ensure no code can be added or changed without being detected.

But they do not cover V8 heap snapshots, a performance feature inherited from Chromium that loads precompiled JavaScript state into memory like thawing a frozen pizza.

Attackers can tamper with these snapshots to insert unsigned code, and the integrity checks ignore them.

By targeting heap snapshots, an attacker with write access to an app installation folder—often a user-writable location like %AppData%\Local on Windows or /Applications on macOS—can backdoor any Electron-based application without needing to break code signatures.

When the app starts, the modified snapshot runs before any integrity checks, letting the attacker override core JavaScript functions.

Shadow demonstrated this by replacing Array.isArray with a gadget that executes arbitrary code. In one test, altering this function caused Slack to crash, proving unsigned snapshot code ran despite Electron’s integrity fuses.

Shadow then built proof-of-concept backdoors for Slack, 1Password, and Signal. For Slack, the payload loaded a keylogger into chat windows.

For Signal and 1Password, the attack could steal messages or vault data. The team responsibly reported the flaw to Electron’s maintainers, who swiftly issued a patch. 1Password fixed the issue in version 8.11.8-40. Signal and Slack have released updates as well.

“We were made aware of Electron CVE-2025-55305 through Trail of Bits responsible disclosure and 1Password has patched the vulnerability in v8.11.8-40. Protecting our customers’ data is always our highest priority,” said Jacob DePriest, CISO at 1Password.

This flaw highlights a wider risk for all Chromium-based software. Researcher Emilio Lopez extended the technique to backdoor Chrome and related browsers installed in user-writable folders.

Because Chrome’s threat model excludes local attacks, these backdoors could remain undetected while still passing code-signing checks.

To defend against these attacks, developers of Electron and Chromium-based apps should enable full integrity checks on heap snapshots or move snapshot files to read-only locations.

Users are advised to update Signal, 1Password, Slack, and other Electron apps to the latest versions without delay.

Secure code integrity must cover every component, including hidden performance shortcuts, to stop attackers from turning trusted applications into stealthy persistence tools.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!