kmsg

The script itself contains no obvious overt malware logic (no exfiltration, credential access, obfuscated execution, or additional persistence mechanisms beyond PATH editing). However, it creates a direct supply-chain execution path by downloading an unverified executable from a moving “releases/latest” endpoint and executing it immediately. The primary risk is integrity/authenticity of the downloaded binary; if the release artifact or redirect chain is compromised, the installer would run attacker-controlled code in the user context.