It looks like using Chocolatey [1] saved me from this attack vector because maintainers hardcode SHA256 checksums (and choco doesn't use WinGuP at all).

[1]: https://chocolatey.org/