explaingit

blackvenom5iix/winget-toctou-poc

Analysis updated 2026-06-24

0PowerShellAudience · researcherComplexity · 3/5Setup · moderate

TLDR

Proof of concept showing a TOCTOU race in Windows winget where a verified installer can be swapped before it is actually run.

Mindmap

mindmap
  root((winget-toctou-poc))
    Inputs
      winget install command
      Attacker script
    Outputs
      Swapped installer
      Demonstration screenshot
    Use Cases
      Reproduce the race
      Study TOCTOU class
      Inform winget hardening
    Tech Stack
      PowerShell
      Windows
      winget
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Reproduce a winget post-verification installer-swap attack in a lab VM

USE CASE 2

Study TOCTOU race patterns for a security writeup or training session

USE CASE 3

Test winget patches by running the PoC before and after updates

What is it built with?

PowerShellWindowswinget

How does it compare?

blackvenom5iix/winget-toctou-pocnickalaslight/fable-sonnet-orchestrator-kitgrafikerdem/agent-context-economy
Stars016
LanguagePowerShellPowerShellPowerShell
Setup difficultymoderatemoderateeasy
Complexity3/53/52/5
Audienceresearcherdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 1h+

README is one paragraph with no instructions, so reproduction requires reading the PowerShell sources and setting up a Windows VM.

In plain English

This repository is a proof of concept for a security issue in winget, the official package manager built into recent versions of Windows. The README is one paragraph long and contains no setup, code, or reproduction steps, only a short statement of what the project demonstrates and a single screenshot. The flaw is described as a TOCTOU race condition. TOCTOU stands for time of check to time of use. The idea is that winget downloads an installer, checks it for integrity, and then runs it. In between the check and the run, there is a moment when an attacker on the same machine can swap the verified file for a different one. Winget then installs the swapped file under the trust assumption that it had already been verified. The repository is labelled as PowerShell, which suggests the demonstration is delivered as PowerShell scripts that race against winget, although the README does not say so directly. There is no code listing, no walkthrough, no list of affected winget versions, and no patched version called out as fixed. Because the README is so short, anyone interested in the actual technique would need to read the source files in the repository to see how the race is staged, and to check what Windows and winget versions the author tested against. The repository is also marked with zero stars at the time of capture, so it has not yet drawn community attention or independent confirmation. In short, the project flags a specific class of installer-replacement bug in winget and shares a demonstration of it, but the public-facing description is minimal and most of the detail lives in the code rather than in the documentation.

Copy-paste prompts

Prompt 1
Walk me through the TOCTOU window in winget that this PoC targets and where in the install flow the swap happens
Prompt 2
Read the PowerShell scripts in winget-toctou-poc and write a step by step reproduction guide with the affected winget versions
Prompt 3
Suggest defensive changes winget could make to close the race window shown in this PoC
Prompt 4
Help me set up an isolated Windows VM to safely run this PoC and capture logs of the swap

Frequently asked questions

What is winget-toctou-poc?

Proof of concept showing a TOCTOU race in Windows winget where a verified installer can be swapped before it is actually run.

What language is winget-toctou-poc written in?

Mainly PowerShell. The stack also includes PowerShell, Windows, winget.

How hard is winget-toctou-poc to set up?

Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.

Who is winget-toctou-poc for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.