| README.md |
|---|
This project demonstrates that any NuGet package can run arbitrary code on your machine.
TL;DR; Installing NuGet packages is (and have always been) a security risk, and you should only install packages from trusted sources and trusted authors.
NuGet used to support PowerShell scripts that could be run manually by developers, or run automatically by NuGet, for example, after packages were installed (install.ps1) or uninstalled (uninstall.ps1), which was useful for packages that needed to perform an initial setup and clean-up things after, on uninstall.
With NuGet v3 and PackageReference, PowerShell script support was modified to no longer execute install and uninstall scripts, with one of the reasons being that they are tightly-coupled to Visual Studio, and inheritantly not cross platform.
Microsoft didn't provide any real alternative or migration path from install.ps1 causing frustration among developers and in September of 2017 the NuGet team started tracking an issue to come up with a strategy for packages that have install.ps1/uninstall.ps1 which, as of this writing over two years later, didn't seem to have any progress.
In discussions, many developers seem to have the false sense that installing NuGet packages became a "safe" operation after Microsoft dropped support for executing PowerShell scripts (e.g. install.ps1), which is not true.
Installing NuGet packages is (and have always been) a security risk, and you should only install packages from trusted sources and trusted authors.
Add the IAmRoot package from nuget.org in any project:
> dotnet add package IAmRootor
PM> Install-Package IAmRootBuild the project where the IAmRoot NuGet package was installed:
Your default internet browser should open and display the image below:
Click on the Releases tab on GitHub.
Copyright © 2019-2020 C. Augusto Proiete & Contributors - Provided under the Apache License, Version 2.0. Groot logo is a derivative of work by Vectto (original).