This whole vector (serving malicious updates via MiTM) has been well known for the longest time, with even frameworks such as Evilgrade for exploiting them.

Such an oversight from a “security” company is frankly unforgivable.