fw-setup

No clear evidence of intentional malware exists in this fragment. However, it performs a high-impact supply-chain action: it downloads and globally installs remote code via `npm install -g` from a CDN-selected tarball, with only an HTTP reachability check and no demonstrated integrity/authenticity verification (notably for “latest”). Treat this as a meaningful supply-chain integrity risk rather than confirmed malicious behavior.