AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package exports browser-facing React components and has no install-time hook.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer imports and renders a component; Lottie expressions additionally require enabled expression rendering.
Impact
No package-side credential theft, persistence, destructive action, or install-time mutation found.
Mechanism
UI rendering, media loading, and optional Lottie expression evaluation.
Rationale
The scanner findings resolve to normal bundled UI functionality: Lottie's guarded expression evaluator and intentional bidi formatting controls. Direct inspection found no lifecycle execution or concrete malicious behavior.
Evidence
package.jsondist/site/components/Lottie/component.jsdist/site/components/chunks/DateField.jsdist/site/components/chunks/svg.jsdist/site/components/GoogleMap/component.jsdist/site/components/VideoUpload/sdk.jsdist/site/components/chunks/Video.js
Network endpoints4
maps.googleapis.com/maps/api/jsfiles.wix.com/site/media/files/${videoId}/infostatic.wixstatic.com/media/video.wixstatic.com/
Decision evidence
public snapshotAI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/site/components/Lottie/component.js contains eval for Lottie expression rendering when runExpressions is enabled.
Evidence against
- package.json has no preinstall, install, postinstall, prepare, or bin entry.
- Published payload is limited to dist/site via package.json files and exports.
- No child_process, Node filesystem, credential harvesting, or persistence APIs found in inspected package files.
- DateField bidi characters are explicit LRI/PDI literals used while constructing hour segments.
- Network calls are component/runtime media, map, SVG, and video functionality; no exfiltration path was identified.
Behavioral surface
ChildProcessEnvironmentVarsEvalNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/site/components/Lottie/component.jsView file
13712var scoped_bm_rt;
L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0];
L13714: var numKeys = property.kf ? data.k.length : 0;
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/site/components/Lottie/component.jsView on unpkg · L13712dist/site/components/chunks/DateField.jsView file
6423contains invisible/control Unicode U+2066 (left-to-right isolate)
text: "<U+2066>",
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/site/components/chunks/DateField.jsView on unpkg · L6423dist/site/components/chunks/constants3.jsView file
61patternName = generic_password
severity = medium
line = 61
matchedText = password...rd",
Medium
Secret Pattern
Hardcoded password in dist/site/components/chunks/constants3.js
dist/site/components/chunks/constants3.jsView on unpkg · L61Findings
1 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/site/components/chunks/DateField.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/site/components/chunks/constants3.js
LowScripts Present
LowEvaldist/site/components/Lottie/component.js
LowHigh Entropy Strings
LowUrl Strings