preview-d3

The key risk in this module is an explicit dynamic script-loading execution primitive: it derives script.src from DOM-provided JSON ('d3-user-code-src') and appends it to document.head without visible allowlisting/validation. If an attacker can influence that DOM value or the referenced resource, this enables arbitrary JavaScript execution in the page context (high security impact). Additional risks include innerHTML-based UI rendering (dependent on helper escaping) and DOM ID/class creation from regex-parsed untrusted code text. No clear standalone malware behavior (exfiltration/backdoor logic) is present in the snippet itself, but the execution mechanism makes malware/supply-chain compromise plausible.