@wistia/wistia-player-react

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

wistia_engineeringokizersheldonatwistia

Keywords

wistiavideoplayerembedweb componentcustom elementreact

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:dist/mjs/wistia-player-PIEQE36A.mjs	AI (source-diff): Webpack bundle for Wistia video player SDK; network+exec pattern is inherent to a video embed library, not malware.	ai	2026/05/28
source-diff	net-exec-file:dist/mjs/wistia-player-TH2PEY6N.mjs	AI (source-diff): Large webpack bundle of the Wistia player SDK; network+exec pattern is expected for a video player embed library.	ai	2026/05/28
source-diff	net-exec-file:dist/mjs/wistia-player-NRHMVWJQ.mjs	AI (source-diff): Webpack bundle for Wistia video player SDK; network+exec pattern is expected for dynamic script loading in a media player.	ai	2026/05/24
source-diff	net-exec-file:dist/mjs/wistia-player-CA3ZQHXK.mjs	AI (source-diff): Webpack-bundled Wistia player; network+exec pattern is inherent to a video player loading its own scripts, not malware.	ai	2026/05/24
source-diff	net-exec-file:dist/mjs/wistia-player-L3FGFFN4.mjs	AI (source-diff): Webpack-bundled video player output; network+exec pattern is inherent to the player's design, not malware.	ai	2026/05/23
source-diff	net-exec-file:dist/mjs/wistia-player-W7JEK3YT.mjs	AI (source-diff): Webpack-bundled Wistia player artifact; network+exec pattern is expected for an embeddable video player, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-JV5AKUF3.mjs	AI (source-diff): Webpack-bundled Wistia player artifact; network+exec pattern is the player loading its own scripts, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-L32JEHH6.mjs	AI (source-diff): Webpack-bundled video player SDK; network+exec pattern is inherent to the wistia-player embed architecture, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-OT73HWX2.mjs	AI (source-diff): Webpack bundle for Wistia video player; network+exec pattern is standard player embed behavior, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-YSPWISPG.mjs	AI (source-diff): Webpack bundle of @wistia/wistia-player; network+exec pattern is standard player embed behavior, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-LDNTTEZL.mjs	AI (source-diff): Webpack bundle for Wistia video player SDK; dynamic script loading is expected for a media embed library.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-JFREZSBE.mjs	AI (source-diff): Webpack-bundled player artifact; network+exec pattern is inherent to the Wistia video player bundle, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-6Y735SL7.mjs	AI (source-diff): Webpack bundle for Wistia video player; network+exec pattern is inherent to a video embed SDK, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-3VB6IIEW.mjs	AI (source-diff): Webpack-bundled Wistia player; dynamic script loading is core to video embed functionality, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-HVZ6K3MN.mjs	AI (source-diff): Webpack-bundled Wistia player SDK; network+exec pattern is inherent to a video player library, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-HE5EHMCD.mjs	AI (source-diff): Wistia video player SDK legitimately loads scripts/iframes for video playback; webpack bundle pattern is consistent across versions.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-R64EQRPA.mjs	AI (source-diff): Webpack-bundled Wistia player SDK; network+exec pattern is inherent to a video player loading scripts, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-EMELY44T.mjs	AI (source-diff): Webpack-bundled video player SDK from Wistia; network+exec pattern is inherent to the player's script-loading design, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-HZKZ5A2T.mjs	AI (source-diff): Webpack-bundled video player SDK; network calls and script execution are expected for a media player component.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-7D6CZ7AF.mjs	AI (source-diff): Webpack-bundled Wistia player artifact; network+exec pattern is expected for a video player SDK loading its own scripts.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-URLZXOOY.mjs	AI (source-diff): Webpack-bundled video player artifact; network+exec pattern is expected for a media player SDK, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-T2NSDI5N.mjs	AI (source-diff): Webpack-bundled Wistia player SDK; network+exec pattern is expected for a video player embed library.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-B2YCJL7Y.mjs	AI (source-diff): Webpack-bundled Wistia player asset; dynamic script loading is inherent to the video player's design, not malicious.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-553ZER6Y.mjs	AI (source-diff): Webpack-bundled video player code; network+exec pattern is expected for a media player library from Wistia's official org.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-MY2EMXVV.mjs	AI (source-diff): Webpack bundle artifact for Wistia player; network+exec pattern is standard player embed behavior, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-BK7A5CHY.mjs	AI (source-diff): Webpack-bundled media player SDK; network calls and script execution are expected for Wistia player functionality, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-ZYXJZKTK.mjs	AI (source-diff): Large webpack bundle of @wistia/wistia-player; net+exec pattern is standard bundled player code, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-G7EUXEFC.mjs	AI (source-diff): Webpack-bundled Wistia player; dynamic script loading is core to the media player's architecture, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-FIDHPNDO.mjs	AI (source-diff): Webpack bundle of the Wistia player dependency; network+exec pattern is standard player embed behavior, not malware.	ai	2026/05/14
source-diff	net-exec-file:dist/mjs/wistia-player-YR6DGSTN.mjs	AI (source-diff): Webpack bundle of the Wistia player SDK; network+exec pattern is inherent to a video player library, not malware.	ai	2026/05/14
dependencies	unvetted-dep:@wistia/wistia-player	AI (dependencies): First-party sibling package from same @wistia org; React wrapper depending on the core player is expected and stable.	ai	2026/05/14
provenance	no-provenance	AI (provenance): Established Wistia org package; lack of provenance is consistent across all versions and not a risk indicator here.	ai	2026/05/14

Versions (showing 45 of 45)

Version	Deps	Published
0.7.0	2 / 14	2026-05-13
0.6.22	2 / 14	2026-05-13
0.6.21	2 / 14	2026-05-12
0.6.20	2 / 14	2026-05-05
0.6.19	2 / 14	2026-04-20
0.6.18	2 / 14	2026-04-15
0.6.17	2 / 14	2026-04-08
0.6.16	2 / 14	2026-04-07
0.6.15	2 / 14	2026-04-02
0.6.14	2 / 14	2026-03-31
0.6.13	2 / 14	2026-03-30
0.6.12	2 / 14	2026-03-25
0.6.11	2 / 14	2026-03-24
0.6.10	2 / 14	2026-03-18
0.6.9	2 / 14	2026-03-16
0.6.8	2 / 14	2026-03-10
0.6.7	2 / 14	2026-03-06
0.6.6	2 / 14	2026-03-04
0.6.5	2 / 14	2026-03-02
0.6.4	2 / 14	2026-03-02
0.6.3	2 / 14	2026-02-20
0.6.2	2 / 14	2026-02-17
0.6.1	2 / 14	2026-02-11
0.6.0	2 / 14	2026-02-11
0.5.1	2 / 14	2026-02-05
0.5.0	2 / 14	2026-02-05
0.4.3	2 / 14	2026-02-02
0.4.2	2 / 14	2026-01-27
0.4.1	2 / 14	2026-01-16
0.4.0	2 / 14	2026-01-07
0.3.19	2 / 14	2025-12-19
0.3.18	2 / 14	2025-12-15
0.3.17	2 / 14	2025-12-09
0.3.16	2 / 14	2025-12-09
0.3.15	2 / 14	2025-12-05
0.3.14	2 / 14	2025-12-01
0.3.13	2 / 14	2025-11-19
0.3.12	2 / 14	2025-11-19
0.3.11	2 / 14	2025-11-18
0.3.1	2 / 14	2025-10-02
0.2.0	2 / 14	2025-09-23
0.1.3	1 / 14	2025-05-23
0.1.1	1 / 14	2025-05-23
0.0.115	1 / 14	2025-05-14
0.0.114	1 / 14	2025-05-13

v0.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.22

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-ZYXJZKTK.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.21

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.20

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.19

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-G7EUXEFC.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.18

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.17

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-EMELY44T.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.16

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-HZKZ5A2T.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.15

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-7D6CZ7AF.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.14

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.13

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.12

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-OT73HWX2.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.11

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-R64EQRPA.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.10

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-W7JEK3YT.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.9

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-URLZXOOY.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.7

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-3VB6IIEW.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.6

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-T2NSDI5N.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.5

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-L32JEHH6.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.4

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-B2YCJL7Y.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.1

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-YSPWISPG.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.0

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-553ZER6Y.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.0

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-6Y735SL7.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.3

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-BK7A5CHY.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.2

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-MY2EMXVV.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.1

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-LDNTTEZL.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.0

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-HVZ6K3MN.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.19

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-JFREZSBE.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.18

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-HE5EHMCD.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.17

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.16

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-JV5AKUF3.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.15

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-YR6DGSTN.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.14

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-FIDHPNDO.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.13

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.12

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.11

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.1

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-TH2PEY6N.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.0

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-PIEQE36A.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.3

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-CA3ZQHXK.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.1

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-NRHMVWJQ.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.115

2 findings

HIGH New file with network + code execution: dist/mjs/wistia-player-L3FGFFN4.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.114

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.