registry  /  @wix/editor-react-components  /  1.2328.0

@wix/editor-react-components@1.2328.0

React components for the Wix Editor

AI Security Review

scanned 21h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network use is limited to user-rendered UI media, icons, and video metadata; no install-time execution or host-control mutation exists.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Rendering relevant Wix editor components
Impact
No confirmed unauthorized execution, persistence, credential collection, or exfiltration
Mechanism
Browser UI asset and video metadata loading
Rationale
Static inspection finds a bundled Wix React component package with no lifecycle execution or concrete malicious chain. Scanner hits are attributable to normal browser component behavior and bundled Lottie/date-time code.
Evidence
package.jsondist/site/components/Lottie/component.jsdist/site/components/chunks/Tooltip.jsdist/site/components/TextInput/component.jsdist/site/components/SocialPlayerVimeo/component.jsdist/site/components/chunks/Video.jsREADME.md
Network endpoints3
static.parastorage.comstatic.wixstatic.comvimeo.com/api/oembed.json

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks or bin entrypoint.
    • Published files are UI assets under dist/site; no native binaries found.
    • No child_process, shell, filesystem harvesting, or credential-exfiltration primitives found.
    • Lottie eval is bundled expression support, not install-time code or remote payload loading.
    • Tooltip bidi characters are intentional date/time directionality literals.
    • Observed fetches load Wix icon/media assets or Vimeo metadata during component use.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsEvalNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 315 file(s), 6.11 MB of source, external domains: aomedia.org, api.whatsapp.com, base-ui.com, editor.wix.com, facebook.com, fb.me, files.wix.com, github.com, maps.googleapis.com, pinterest.com, static.filesuser.com, static.parastorage.com, static.wixstatic.com, twitter.com, video.wixstatic.com, vimeo.com, visgl.github.io, www.facebook.com, www.google.com, www.instagram.com, www.linkedin.com, www.snapchat.com, www.tiktok.com, www.w3.org, www.wix.com, www.youtube.com

    Source & flagged code

    3 flagged · loading source
    dist/site/components/Lottie/component.jsView file
    13712var scoped_bm_rt; L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0]; L13714: var numKeys = property.kf ? data.k.length : 0;
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/site/components/Lottie/component.jsView on unpkg · L13712
    dist/site/components/chunks/Tooltip.jsView file
    7191contains invisible/control Unicode U+2066 (left-to-right isolate) text: "<U+2066>",
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/site/components/chunks/Tooltip.jsView on unpkg · L7191
    dist/site/components/chunks/constants3.jsView file
    61patternName = generic_password severity = medium line = 61 matchedText = password...rd",
    Medium
    Secret Pattern

    Hardcoded password in dist/site/components/chunks/constants3.js

    dist/site/components/chunks/constants3.jsView on unpkg · L61

    Findings

    1 Critical4 Medium4 Low
    CriticalTrojan Source Unicodedist/site/components/chunks/Tooltip.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    MediumSecret Patterndist/site/components/chunks/constants3.js
    LowScripts Present
    LowEvaldist/site/components/Lottie/component.js
    LowHigh Entropy Strings
    LowUrl Strings