It is terrifyingly easy to publish a Powershell module
Like many admins I regularly use install-module to add in modules from the Powershell Gallery. Typically these are installed via a script that is using them as dependencies rather than directly. I always read through a script to make sure I fully understand it before running it. However this rarely applies to the dependency modules it installs and uses.
When working on my HudaAPI module I wanted to publish it into the powershell gallery to make it easier to utilise in my scripts. I imagined this being a hard process of having to go through a review process where it would be checked that its not malicious. I mean its a Microsoft run website, they must be reviewing code before letting it be downloaded by anyone, right?
The process for publishing it was:
- Login with my Microsoft account.
- Get an API Key.
- Run one powershell command which uploads and publishes it.
That was it no verification beyond me having an account.
Take this as a warning to always check any scripts you are running, including dependant modules. I would recommend visiting the powershell gallery of any module before you download it to make sure it is what you think and take extra care to make sure you don’t misspell a module name as someone could easily put up malicious module with a small spelling error to a popular one.
There may be additional security steps going on it the background that Microsoft have in place, but I will certainly be being far more careful in the future.