AI Security Review
scanned 8h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The install hook is a package-aligned binary fetch fallback, and the bundled executable appears to be a user-invoked terminal editor.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install or user runs xei
Impact
Installs or runs the xei editor; user-invoked editor may read/write files selected by the user.
Mechanism
package-local binary install fallback and CLI editor execution
Rationale
The suspicious primitives are consistent with distributing a Rust CLI editor via npm: a postinstall fallback downloads a package-owned release artifact and writes only the package-local binary path. No concrete evidence of malware, exfiltration, persistence, or unconsented agent/control-surface mutation was found.
Evidence
package.jsoninstall.jsbin/xeiREADME.md
Network endpoints1
github.com/stremtec/xei/releases/download/v0.1.3/xei-${target}.gz
Decision evidence
public snapshotAI called this Clean at 84.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json runs postinstall: node install.js
- install.js can download a gzip binary from GitHub releases if bin/xei is absent
- package ships native executable bin/xei
Evidence against
- install.js only targets package-local bin/xei and chmods it
- download URL is package-aligned: github.com/stremtec/xei release v0.1.3
- no credential/env harvesting, AI-agent control-surface writes, persistence, shell execution, or destructive install behavior found
- binary strings show terminal editor UI/config strings, not exfiltration or suspicious endpoints
Behavioral surface
FilesystemNetwork
UrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgbin/xeiView file
•path = bin/xei
kind = native_binary
sizeBytes = 989520
magicHex = [redacted]
Medium
Findings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings