Security News > 2023 > August > Microsoft PowerShell Gallery vulnerable to spoofing, supply chain attacks

Lax policies for package naming on Microsoft's PowerShell Gallery code repository allow threat actors to perform typosquatting attacks, spoof popular packages and potentially lay the ground for massive supply chain attacks.
PowerShell Gallery is a Microsoft-run online repository of packages uploaded by the wider PowerShell community, hosting a large number of scripts and cmdlet modules for various purposes.
AquaSec's Nautilus team discovered that users can submit to the PS Gallery packages with very similar names to existing repositories, so-called 'typosquatting' when cybercriminals leverage it for malicious purposes.
PS Gallery hides by default the more reliable 'Owner' field under 'Package Details', which shows the publisher account that uploaded the package.
AquaSec reported all flaws to Microsoft on September 27, 2022, and were able to replicate them on December 26, 2022, despite Microsoft stating in early November that they had fixed the issues.
On January 15, 2023, Microsoft stated that a short-term solution was implemented until its engineers developed a fix for the name typosquatting and package details spoofing.
News URL
Related news
- Botnet targets Basic Auth in Microsoft 365 password spray attacks (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint (source)
- China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access (source)
- GitHub supply chain attack spills secrets from 23,000 projects (source)
- Supply chain attack on popular GitHub Action exposes CI/CD secrets (source)
- Google acquisition target Wiz links fresh supply chain attack to 23K pwned GitHub repos (source)
- GitHub Action hack likely led to another in cascading supply chain attack (source)
- GitHub Action supply chain attack exposed secrets in 218 repos (source)
- Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories' CI/CD Secrets Exposed (source)