project-init

No direct evidence of overt malware in this shell script (no explicit exfiltration/backdoor behavior). However, it significantly increases supply-chain and operational risk by automatically pulling the latest code from a remote branch and running npm install/build steps (which execute dependency lifecycle code), then compiling and launching the resulting server binary. Additionally, the insecure default admin password fallback (`admin123`) is a concrete credential hygiene issue. Treat this deployment method as high-risk unless you pin/verifiably validate git commits/tags and npm dependencies (lockfile enforcement, integrity checks/signatures), and remove/require secure secret configuration.