MAL-2026-4805

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a9a1c269ce5e462d7e555ce1ca34b7f2e54e3d34ea094d35a67aa7c61d1fe34e) The package's exported `Metricflow` React component defaults `serverUrl` to `http://51.38.65.105:21531` and, when rendered, appends a `<script src="${serverUrl}/TrakLab-plugin/Dev/tracklab.js">` tag to `document.head` in the consumer's web application (dist/index.js line 18). The fetched JavaScript executes with full DOM and same-origin access in any site that uses the component. The source is a bare IPv4 address over cleartext HTTP at a mutable `/Dev/` path with no Subresource Integrity, no version pinning, and no TLS — whoever controls that IP, and any on-path network attacker, can serve arbitrary JavaScript into the consumer's application. Additionally, `window.MetricflowConfig.collectUrl` defaults to `http://51.38.65.105:21531/collect`, silently relaying end-user telemetry collected by the loaded tracker to the same hardcoded host. Package metadata provides no author, homepage, or documentation tying that IP to a legitimate analytics vendor. The combination of remote-code-loading from an unverified mutable HTTP endpoint plus silent relay of end-user data to an opaque destination is supply-chain harm to any installer that renders this component.