Security News > 2023 > August > Microsoft PowerShell Gallery vulnerable to spoofing, supply chain attacks

Lax policies for package naming on Microsoft's PowerShell Gallery code repository allow threat actors to perform typosquatting attacks, spoof popular packages and potentially lay the ground for massive supply chain attacks.

PowerShell Gallery is a Microsoft-run online repository of packages uploaded by the wider PowerShell community, hosting a large number of scripts and cmdlet modules for various purposes.

AquaSec's Nautilus team discovered that users can submit to the PS Gallery packages with very similar names to existing repositories, so-called 'typosquatting' when cybercriminals leverage it for malicious purposes.

PS Gallery hides by default the more reliable 'Owner' field under 'Package Details', which shows the publisher account that uploaded the package.

AquaSec reported all flaws to Microsoft on September 27, 2022, and were able to replicate them on December 26, 2022, despite Microsoft stating in early November that they had fixed the issues.

On January 15, 2023, Microsoft stated that a short-term solution was implemented until its engineers developed a fix for the name typosquatting and package details spoofing.

News URL

https://www.bleepingcomputer.com/news/security/microsoft-powershell-gallery-vulnerable-to-spoofing-supply-chain-attacks/