FileZilla :: Another Supply Chain attack or just bad practices

It appears that FileZilla is serving malicious code with its current bundle ("FileZilla_3.29.0_win64-setup_bundled.exe"). Furthermore they're trying to downplay the actual issue on the official forum, see: 

The responses from FileZilla on the forum certainly does not provide any assurance, so do NOT use FileZilla install bundles on any system.

Also please note that Windows 10 now have both SSH and SCP installed (latest builds). Otherwise install the Windows Subsystem for Linux (WSL), or just run your favorite *Nix distro on your dev boxes.