budge

This code is not overtly malicious by itself; it is integration logic that loads and executes an opaque third-party IIFE from https://www.budge.design/budge.iife.js across multiple frameworks and activates it based on DOM-inserted JSON configuration (data-budge). The dominant concern is supply-chain risk: remote script execution without SRI/version pinning/sandboxing, combined with MutationObserver-based auto-activation, gives the third party meaningful opportunity to track or manipulate the page if the CDN asset is compromised.