It's also possible the update manifest contained an url that the updater blindly trusted, and by modifying that file you could change what got downloaded.

Yea, should have finished reading. Remediation was to “ verify both the certificate and the signature of the downloaded installer. “

I mean for such a dev focused and extremely performant app, that’s disappointing.

Glad I’m off windows as of late