What if someone submits a 'malware' nuget package?

Question

I checked the Nuget submission process, and did not find anything about a basic check or review process.

So what if someone submitted a, let's say, email template helper package, but it actually does email sniffing.

Correct me if I missed anything here.

Answer 1

There is no central review process - you are correct. You should exercise a similar amount of caution as to when you are getting compiled binaries from any source. Someone could put malicious code on any public website (sourceforge, cnet, etc).

Security is about minimizing risk, not eliminating it. If your data/information is crucial, you should vet the software yourself (or have someone who is knowledgeable do it). Not only could you download malicious code, but you could also introduce a vulnerability to your software that was not intended by the package writer. The burden is on the end-user here. Additionally, just because software is "reviewed" doesn't make it safe. Here is an article about a piece of malware that was submitted to the AppStore and approved. This is not an isolated incident.

If this is for your personal/small projects with non-confidential data, I would not be too awfully worried if you stick to relatively widely used packages with many reviews. The community can help police for this sort of thing as there is a "Report Extension to Microsoft" link on every extension.