You are downloading code compiled by someone else. In order to make this to work, you either need to add the username/password to the config.json (or use some ui to do it for you).
For 2 factor, you need to run another utility to generate the refresh token (ie a one time password that can be used by anyone) and this is added in plain text to the config.json file.
This is posted in the ring 2FA module:
“Note: Your refreshToken is just as valuable as an email/password so treat it with the same care you would a password. It can also be used for accounts that do not have 2fa enabled if you don’t want your email/password in plain text in a config file.”
Bottom line, someone gets into your computer or compiled the code with a backdoor, you are giving the keys out…