controlling-spotify

This module is primarily a self-modifying build/installation patcher that rewrites src/utils.ts by inserting credential-handling logic into loadSpotifyConfig(). It does not show direct malware behaviors like network access or command execution, but it creates a meaningful supply-chain risk due to runtime code alteration and it wires sensitive secrets (SPOTIFY_CLIENT_SECRET and SPOTIFY_REFRESH_TOKEN) into application logic. Additionally, on failure it may disclose local source content via a preview in logs. Overall: suspicious/needs review in a supply-chain context, but direct malicious payload indicators are limited in this snippet.