IAmRoot NuGet Package
This project demonstrates that any NuGet package can run arbitrary code on your machine.
TL;DR; Installing NuGet packages is (and have always been) a security risk, and you should only install packages from trusted sources and trusted authors.
NuGet used to support PowerShell scripts that could be run manually by developers, or run automatically by NuGet, for example, after packages were installed (
install.ps1) or uninstalled (
uninstall.ps1), which was useful for packages that needed to perform an initial setup and clean-up things after, on uninstall.
With NuGet v3 and
PackageReference, PowerShell script support was modified to no longer execute install and uninstall scripts, with one of the reasons being that they are tightly-coupled to Visual Studio, and inheritantly not cross platform.
Microsoft didn't provide any real alternative or migration path from
install.ps1 causing frustration among developers and in September of 2017 the NuGet team started tracking an issue to come up with a strategy for packages that have install.ps1/uninstall.ps1 which, as of this writing over two years later, didn't seem to have any progress.
In discussions, many developers seem to have the false sense that installing NuGet packages became a "safe" operation after Microsoft dropped support for executing PowerShell scripts (e.g.
install.ps1), which is not true.
Installing NuGet packages is (and have always been) a security risk, and you should only install packages from trusted sources and trusted authors.
How to Run
> dotnet add package IAmRoot
PM> Install-Package IAmRoot
Click on the Releases tab on GitHub.