registry  /  @wix/editor-react-components  /  1.2313.0

@wix/editor-react-components@1.2313.0

React components for the Wix Editor

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface. Runtime networking is limited to component media/video handling against Wix endpoints.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer imports and uses UI components; media components load their configured assets.
Impact
No credential theft, persistence, remote payload chain, or destructive behavior established.
Mechanism
Bundled React UI, animation, audio, image, and video rendering.
Rationale
Direct source inspection found a UI component bundle without install hooks or host-control primitives. Scanner hits are explained by Lottie expression support, Unicode bidi formatting for dates, and Wix media endpoints.
Evidence
package.jsondist/site/components/Lottie/component.jsdist/site/components/chunks/Tooltip.jsdist/site/components/VideoUpload/sdk.jsdist/site/components/chunks/customElementInit.js
Network endpoints3
files.wix.com/static.wixstatic.com/mediastatic.wixstatic.com/shapes

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` exports only bundled UI component entrypoints and has no lifecycle hooks.
    • No filesystem, subprocess, credential, AI-agent config, or environment-harvesting primitives found in `dist/site/**/*.js`.
    • `Lottie/component.js` eval is gated by `runExpressions` and builds animation expressions from Lottie data.
    • `Tooltip.js` bidi isolates are intentional date/time literal segments, not concealed control flow.
    • Observed endpoints are Wix media URLs used by image/video components.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsEvalNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 311 file(s), 6.08 MB of source, external domains: aomedia.org, api.whatsapp.com, base-ui.com, editor.wix.com, facebook.com, fb.me, files.wix.com, github.com, maps.googleapis.com, pinterest.com, static.filesuser.com, static.parastorage.com, static.wixstatic.com, twitter.com, video.wixstatic.com, vimeo.com, visgl.github.io, www.facebook.com, www.google.com, www.instagram.com, www.linkedin.com, www.snapchat.com, www.tiktok.com, www.w3.org, www.wix.com, www.youtube.com

    Source & flagged code

    3 flagged · loading source
    dist/site/components/Lottie/component.jsView file
    13712var scoped_bm_rt; L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0]; L13714: var numKeys = property.kf ? data.k.length : 0;
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/site/components/Lottie/component.jsView on unpkg · L13712
    dist/site/components/chunks/Tooltip.jsView file
    7191contains invisible/control Unicode U+2066 (left-to-right isolate) text: "<U+2066>",
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/site/components/chunks/Tooltip.jsView on unpkg · L7191
    dist/site/components/chunks/constants3.jsView file
    61patternName = generic_password severity = medium line = 61 matchedText = password...rd",
    Medium
    Secret Pattern

    Hardcoded password in dist/site/components/chunks/constants3.js

    dist/site/components/chunks/constants3.jsView on unpkg · L61

    Findings

    1 Critical4 Medium4 Low
    CriticalTrojan Source Unicodedist/site/components/chunks/Tooltip.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    MediumSecret Patterndist/site/components/chunks/constants3.js
    LowScripts Present
    LowEvaldist/site/components/Lottie/component.js
    LowHigh Entropy Strings
    LowUrl Strings