gitwtfhub

wtf is winget-toctou-poc?

blackvenom5iix/winget-toctou-poc — explained in plain English

Analysis updated 2026-05-18

0PowerShellAudience · researcherComplexity · 3/5Setup · moderate

TL;DR

Proof of concept showing a TOCTOU race in Windows winget where a verified installer can be swapped before it is actually run.

Mindmap

mindmap
  root((winget-toctou-poc))
    Inputs
      winget install command
      Attacker script
    Outputs
      Swapped installer
      Demonstration screenshot
    Use Cases
      Reproduce the race
      Study TOCTOU class
      Inform winget hardening
    Tech Stack
      PowerShell
      Windows
      winget

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Reproduce a winget post-verification installer-swap attack in a lab VM

REASON 2

Study TOCTOU race patterns for a security writeup or training session

REASON 3

Test winget patches by running the PoC before and after updates

What's in the stack?

PowerShellWindowswinget

How it stacks up

blackvenom5iix/winget-toctou-poceman134/eman-openagentgfsaaser24/x-algo
Stars000
LanguagePowerShellPowerShellPowerShell
Setup difficultymoderateeasyeasy
Complexity3/52/51/5
Audienceresearcherdevelopervibe coder

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · moderate Time to first run · 1h+

README is one paragraph with no instructions, so reproduction requires reading the PowerShell sources and setting up a Windows VM.

Wtf does this do

This repository is a proof of concept for a security issue in winget, the official package manager built into recent versions of Windows. The README is one paragraph long and contains no setup, code, or reproduction steps, only a short statement of what the project demonstrates and a single screenshot. The flaw is described as a TOCTOU race condition. TOCTOU stands for time of check to time of use. The idea is that winget downloads an installer, checks it for integrity, and then runs it. In between the check and the run, there is a moment when an attacker on the same machine can swap the verified file for a different one. Winget then installs the swapped file under the trust assumption that it had already been verified. The repository is labelled as PowerShell, which suggests the demonstration is delivered as PowerShell scripts that race against winget, although the README does not say so directly. There is no code listing, no walkthrough, no list of affected winget versions, and no patched version called out as fixed. Because the README is so short, anyone interested in the actual technique would need to read the source files in the repository to see how the race is staged, and to check what Windows and winget versions the author tested against. The repository is also marked with zero stars at the time of capture, so it has not yet drawn community attention or independent confirmation. In short, the project flags a specific class of installer-replacement bug in winget and shares a demonstration of it, but the public-facing description is minimal and most of the detail lives in the code rather than in the documentation.

Yoink these prompts

Prompt 1
Walk me through the TOCTOU window in winget that this PoC targets and where in the install flow the swap happens
Prompt 2
Read the PowerShell scripts in winget-toctou-poc and write a step by step reproduction guide with the affected winget versions
Prompt 3
Suggest defensive changes winget could make to close the race window shown in this PoC
Prompt 4
Help me set up an isolated Windows VM to safely run this PoC and capture logs of the swap

Frequently asked questions

wtf is winget-toctou-poc?

Proof of concept showing a TOCTOU race in Windows winget where a verified installer can be swapped before it is actually run.

What language is winget-toctou-poc written in?

Mainly PowerShell. The stack also includes PowerShell, Windows, winget.

How hard is winget-toctou-poc to set up?

Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.

Who is winget-toctou-poc for?

Mainly researcher.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.