registry  /  xei-editor  /  0.2.0

xei-editor@0.2.0

xei (晴) — a modern Vim-like terminal editor in Rust

AI Security Review

scanned 8h ago · by lpm-firewall-ai

The package has an install-time native binary fetcher, creating unresolved supply-chain risk but no confirmed malicious behavior. The lifecycle script installs a package-owned CLI binary from the project's GitHub release assets.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user later invokes xei CLI
Impact
Installs an opaque executable editor binary; no observed exfiltration, persistence, or foreign AI-agent control-surface mutation.
Mechanism
install-time remote native binary download and chmod
Attack narrative
On install, install.js removes the packaged bin/xei if present, selects an OS/CPU target, downloads a compressed executable from the project's GitHub release URL, writes it into bin/xei, and marks it executable. This is package-aligned for a Rust CLI editor but leaves the installed binary content dependent on a remote asset outside the npm tarball.
Rationale
Static inspection found no concrete malware behaviors, but install-time network retrieval of an opaque native executable is a real unresolved risk for firewall users. This warrants a warning rather than a publish block because the endpoint and behavior match the package's stated CLI editor purpose.
Evidence
package.jsoninstall.jsbin/xeiREADME.md
Network endpoints1
github.com/stremtec/xei/releases/download/v0.2.0/xei-${target}${EXE}.gz

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.js
  • install.js deletes bin/xei, downloads a gzipped platform binary from GitHub releases, writes it to bin/xei, and chmods it executable
  • bin/xei is an opaque Mach-O arm64 native executable
Evidence against
  • Download URL is package-aligned: github.com/stremtec/xei/releases for version v0.2.0
  • No credential/env harvesting, agent control-surface writes, persistence, destructive lifecycle behavior, eval, or child_process use found in JS
  • README describes xei as a Vim-like Rust terminal editor and documents file-editing CLI behavior
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.78 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/xeiView file
path = bin/xei kind = native_binary sizeBytes = 989520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/xeiView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings