registry  /  xei-editor  /  0.1.7

xei-editor@0.1.7

xei (晴) — a modern Vim-like terminal editor in Rust

AI Security Review

scanned 8h ago · by lpm-firewall-ai

Install-time code fetches and installs a remote native executable. This is package-aligned but creates unresolved supply-chain risk because the fetched binary is not integrity-pinned by the package.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall
Impact
Installer replaces/creates bin/xei from GitHub release content; compromise of that release path could affect consumers at install time.
Mechanism
remote binary download and executable install
Attack narrative
On install, install.js selects an OS/CPU target, removes the existing package binary, downloads a gzipped executable from the package's GitHub releases, decompresses it into bin/xei, and chmods it executable. The behavior is aligned with distributing a Rust CLI editor, but it is install-time executable replacement from a remote URL without package-local integrity verification.
Rationale
Source inspection shows no concrete exfiltration, persistence, destructive action beyond editor commands, or foreign AI-agent mutation. The remaining risk is the unpinned lifecycle download of a native executable, so warn rather than block.
Evidence
package.jsoninstall.jsREADME.mdbin/xei
Network endpoints2
github.com/stremtec/xei/releases/download/v0.1.7/xei-${target}${EXE}.gzgit+https://github.com/stremtec/xei.git

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • package.json runs postinstall: node install.js
  • install.js deletes bin/xei then downloads a platform binary during install
  • install.js writes decompressed response to bin/xei and chmods it executable
  • Downloaded executable has no checksum/signature verification in package code
Evidence against
  • Network endpoint is package-aligned GitHub release for stremtec/xei v0.1.7
  • No credential/env harvesting, shell execution, persistence, or AI-agent control-surface writes found
  • README and binary strings are consistent with a terminal editor
  • Packaged bin/xei is a native CLI binary expected for this Rust editor package
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.78 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/xeiView file
path = bin/xei kind = native_binary sizeBytes = 989520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/xeiView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings