Nah, I suspect any app that's loading arbitrary JS from somebody's random GitHub page would get called out for that behavior. We're getting supply chain attacks daily.