budge

No malicious payload is visible in the provided integration snippets themselves; they primarily load and execute an opaque third-party CDN IIFE. The main concern is supply-chain risk: the application executes remote JavaScript in its origin without shown integrity pinning/SRI, and the described behavior (MutationObserver-driven DOM interaction and hidden JSON configuration parsing) means the remote code can substantially affect the page and potentially user interaction/data exposure. Audit the fetched budge.iife.js, apply integrity/version pinning where possible, and restrict/limit activation to known-safe contexts.

SUSPICIOUS. The stated purpose is coherent for UI tweaking, but the implementation relies on an unverifiable third-party browser script from budge.design as the core runtime. That remote, unpinned JS executes in the app with broad DOM visibility and no verifiable release/source trail, making the install trust and data-flow footprint disproportionate to a styling helper.