He said he would open source it 11 hours ago in multiple twitter replies but the github link to the repo as seen in the statically linked binary that they recommend to curl and pipe into your shell instead of any popular packaging solution (which doesn't seem to verify against a signed gpg signature - only a hash file obtained from the same subdomain)... Hosted on a domain registered only last month instead of their company's primary domain.

But it has been tweeted about by the creator who works there so maybe it's not all that suspicious.

Was this vibecoded? Right down to the curl pipe? It's really strange that the code isn't public yet.