registry  /  @wix/editor-react-components  /  1.2298.0

@wix/editor-react-components@1.2298.0

React components for the Wix Editor

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface was found. Runtime network activity is component functionality for loading media, icons, maps, embeds, or user-supplied animation URLs.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
consumer imports/renders exported React components
Impact
No credential theft, persistence, destructive behavior, or unauthorized project mutation identified
Mechanism
browser component asset/embed loading and Lottie expression evaluation
Rationale
Static inspection shows a Wix React component bundle with expected media/embed fetches and bundled third-party library patterns; scanner hits are explainable by package functionality. No concrete malicious behavior or install-time mutation was found.
Evidence
package.jsondist/site/components/Lottie/component.jsdist/site/components/chunks/DateField.jsdist/site/components/TextInput/component.jsdist/site/components/SocialPlayerVimeo/component.jsdist/site/components/GoogleMap/component.js
Network endpoints7
bo.wix.com/pages/editor-react-components/static.parastorage.com/services/wix-ui-icons-common/dist/icons/vimeo.com/api/oembed.jsonmaps.googleapis.com/maps/api/jsfiles.wix.com/site/media/files/static.wixstatic.com/www.youtube.com/embed/

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/site/components/Lottie/component.js contains eval for Lottie expression evaluation from animation data
  • dist/site/components/chunks/DateField.js contains bidi isolates as literal date/time segment text
  • Runtime components fetch user/content assets from Wix, Vimeo, Google, and static asset URLs
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • package.json exports only dist/site React component entrypoints
  • No child_process, shell execution, credential harvesting, or AI-agent control-surface writes found
  • Lottie eval is bundled lottie-web behavior and only runs when rendering supplied animation data
  • DateField bidi characters are visible string literals used for localized date/time formatting
  • Network use is package-aligned media/icon/embed loading, not exfiltration
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 312 file(s), 6.07 MB of source, external domains: aomedia.org, api.whatsapp.com, base-ui.com, editor.wix.com, facebook.com, fb.me, files.wix.com, github.com, maps.googleapis.com, pinterest.com, static.filesuser.com, static.parastorage.com, static.wixstatic.com, twitter.com, video.wixstatic.com, vimeo.com, visgl.github.io, www.facebook.com, www.google.com, www.instagram.com, www.linkedin.com, www.snapchat.com, www.tiktok.com, www.w3.org, www.wix.com, www.youtube.com

Source & flagged code

3 flagged · loading source
dist/site/components/Lottie/component.jsView file
13712var scoped_bm_rt; L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0]; L13714: var numKeys = property.kf ? data.k.length : 0;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/site/components/Lottie/component.jsView on unpkg · L13712
dist/site/components/chunks/DateField.jsView file
6423contains invisible/control Unicode U+2066 (left-to-right isolate) text: "<U+2066>",
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/site/components/chunks/DateField.jsView on unpkg · L6423
dist/site/components/chunks/constants3.jsView file
61patternName = generic_password severity = medium line = 61 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in dist/site/components/chunks/constants3.js

dist/site/components/chunks/constants3.jsView on unpkg · L61

Findings

1 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/site/components/chunks/DateField.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/site/components/chunks/constants3.js
LowScripts Present
LowEvaldist/site/components/Lottie/component.js
LowHigh Entropy Strings
LowUrl Strings