AI Security Review
scanned 8h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package ships and exposes a native terminal editor binary; the lifecycle script appears intended to fetch a matching package binary from GitHub releases but is broken and package-aligned.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall, or user runs xei CLI
Impact
User-invoked editor may read/write files the user opens; no unconsented exfiltration or persistence found.
Mechanism
native CLI editor with broken package-aligned binary downloader
Rationale
Static inspection found suspicious packaging primitives, but they are consistent with a Rust terminal editor distributed through npm and no concrete malicious behavior was present. The install hook is broken before it can download or write the binary, and the only network endpoint is the package's GitHub release path.
Evidence
package.jsoninstall.jsbin/xeiREADME.md~/.xei.toml
Network endpoints2
github.com/stremtec/xei/releases/download/v0.1.4/xei-${target}${EXE}.gzgit+https://github.com/stremtec/xei.git
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node install.js
- install.js contains package-aligned HTTPS download logic for a GitHub release binary
- bin/xei is a shipped native Mach-O arm64 executable
Evidence against
- install.js only references github.com/stremtec/xei release URL and local bin/ path
- No source references to credential harvesting, shell startup/VCS hooks, AI-agent control files, or exfiltration endpoints
- install.js has coding errors that prevent useful install-time behavior before network/file writes: EXE is used before initialization and platform/arch are not called
- Binary strings show terminal editor/crossterm/editor-related content, with no suspicious URLs or secret paths found
- README describes a Vim-like terminal editor and persistence only for package config ~/.xei.toml
Behavioral surface
FilesystemNetwork
UrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgbin/xeiView file
•path = bin/xei
kind = native_binary
sizeBytes = 989520
magicHex = [redacted]
Medium
Findings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings