https://archive.org/details/500ms-supply-chain-verification-toolkit

The name references Andres Freund's 500ms SSH delay that uncovered the
XZ backdoor.

The core finding: JsonSchema.Net.dll shipped in Microsoft's
DesktopAppInstaller has a SHA256 that doesn't match any official NuGet
release. It has a PE timestamp of year 2095. And it's signed by
Microsoft's HSM.

You can verify this on your own Windows 11 machine without downloading
anything from me:

Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\ConfigurationRemotingServer\JsonSchema.Net.dll"

Compare with NuGet official: https://www.nuget.org/packages/JsonSchema.Net/7.2.3

The toolkit also includes anomalies in Google's cloudcode_cli (104K
internal refs) and Intel's IGCCTray (GCP data exfil in a graphics driver).

🔍 500ms — Supply chain anomalies in Windows 11 default binaries

JsonSchema.Net.dll in Microsoft DesktopAppInstaller:
→ Hash ≠ any official NuGet release
→ PE timestamp: year 2095
→ Signed by Microsoft HSM post-modification

Verify on YOUR OWN Windows 11 (no download needed):
Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\...\JsonSchema.Net.dll"
Compare: nuget.org/packages/JsonSchema.Net/7.2.3

#infosec #supplychainattack #malwareanalysis #microsoft #cybersecurity #threatintel #windows11 #forensics