web-inspect

This module is primarily a reversible HTML injector/restorer for developer/inspection purposes, but it persistently modifies page HTML to insert a browser-executed <script src=...> whose URL is derived from CLI-provided port/token (and configuration). There is no direct malicious behavior demonstrated in the shown fragment (no exfiltration, no exec/eval), yet the ability to inject executable client-side code and the use of token material in a URL make it a meaningful security-sensitive supply-chain risk if inputs or injected endpoints are not strictly controlled and trusted.

The code is highly likely to be a diagnostic/inspection overlay that intentionally collects sensitive runtime data (console errors/warnings, unhandled rejections, failed network request details, DOM element HTML/text and computed styles, and screenshots) and exfiltrates it to an external helper service at `HELPER_ORIGIN` using a token embedded in the script URL. This behavior is strongly suspicious from a supply-chain/surveillance standpoint even if it is intended for debugging. Recommend treating the package/module as high risk and verifying provenance, network destinations, and exact data sent.