registry  /  xei-editor  /  0.1.5

xei-editor@0.1.5

xei (晴) — a modern Vim-like terminal editor in Rust

AI Security Review

scanned 8h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package has an install hook intended to fetch a package-aligned editor binary into its own bin directory, plus a shipped native CLI binary.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall or user runs xei
Impact
Potential install reliability/supply-chain risk from unsigned remote binary download, but no source evidence of malware behavior
Mechanism
package-aligned native CLI install and execution
Rationale
Static inspection found suspicious packaging primitives, but they are aligned with distributing a Rust terminal editor and do not modify foreign control surfaces, persist, harvest data, or exfiltrate. The shipped binary and installer evidence supports a clean verdict with residual native-binary supply-chain risk rather than malicious behavior.
Evidence
package.jsoninstall.jsbin/xeiREADME.md
Network endpoints1
github.com/stremtec/xei/releases/download/v0.1.5/xei-${target}${EXE}.gz

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.js
  • install.js contains package-aligned HTTPS download logic for GitHub release binary without checksum verification
  • Package ships native binary bin/xei
Evidence against
  • install.js only targets ./bin/xei and chmods it; no home/project agent-control writes or persistence
  • install.js references only github.com/stremtec/xei release URL, matching package repository
  • No credential/env harvesting, shell execution, eval, dynamic require, or broad filesystem traversal found
  • bin/xei strings show Rust TUI/editor libraries and no suspicious network, secret, AI-agent, or persistence indicators
  • README describes a Vim-like terminal editor; runtime file operations are user-invoked editor features
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.72 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/xeiView file
path = bin/xei kind = native_binary sizeBytes = 989520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/xeiView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings