AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious behavior was found, but install-time replacement of a native executable from the network creates unresolved supply-chain risk. The network endpoint is package-aligned but no checksum or signature verification is present.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install / postinstall
Impact
Potential execution of unverified release binary if upstream release or transport target is compromised
Mechanism
download and install native editor binary
Attack narrative
On postinstall, install.js removes the packaged bin/xei, downloads a gzip-compressed platform binary from the stremtec/xei GitHub release, writes it to bin/xei, and marks it executable. This is aligned with distributing a Rust CLI editor, but the installed executable is fetched without integrity verification.
Rationale
Static inspection does not show credential theft, exfiltration, persistence, or destructive behavior beyond package-aligned editor functionality. The package should be warned rather than blocked because its install-time network native-binary replacement lacks integrity verification.
Evidence
package.jsoninstall.jsbin/xeiREADME.md
Network endpoints1
github.com/stremtec/xei/releases/download/v0.2.1/xei-${target}${EXE}.gz
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
- package.json defines postinstall: node install.js
- install.js performs install-time HTTPS download from GitHub releases
- install.js deletes and rewrites bin/xei, then chmods it executable
- bin/xei is a native Mach-O arm64 executable
Evidence against
- install.js downloads from package-aligned github.com/stremtec/xei release path
- No process.env, credential, npmrc, ssh, or secret harvesting found by source grep
- No child_process, eval, vm, or dynamic require beyond fs in install.js
- README describes xei as a terminal editor and documents local file editing features
Behavioral surface
FilesystemNetwork
UrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgbin/xeiView file
•path = bin/xei
kind = native_binary
sizeBytes = 989520
magicHex = [redacted]
Medium
Findings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings