blackvenom5iix/winget-toctou-poc

This repository is a proof of concept for a security issue in winget, the official package manager built into recent versions of Windows. The README is one paragraph long and contains no setup, code, or reproduction steps, only a short statement of what the project demonstrates and a single screenshot. The flaw is described as a TOCTOU race condition. TOCTOU stands for time of check to time of use. The idea is that winget downloads an installer, checks it for integrity, and then runs it. In between the check and the run, there is a moment when an attacker on the same machine can swap the verified file for a different one. Winget then installs the swapped file under the trust assumption that it had already been verified. The repository is labelled as PowerShell, which suggests the demonstration is delivered as PowerShell scripts that race against winget, although the README does not say so directly. There is no code listing, no walkthrough, no list of affected winget versions, and no patched version called out as fixed. Because the README is so short, anyone interested in the actual technique would need to read the source files in the repository to see how the race is staged, and to check what Windows and winget versions the author tested against. The repository is also marked with zero stars at the time of capture, so it has not yet drawn community attention or independent confirmation. In short, the project flags a specific class of installer-replacement bug in winget and shares a demonstration of it, but the public-facing description is minimal and most of the detail lives in the code rather than in the documentation.