registry  /  xei-editor  /  0.2.1

xei-editor@0.2.1

xei (晴) — a modern Vim-like terminal editor in Rust

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious behavior was found, but install-time replacement of a native executable from the network creates unresolved supply-chain risk. The network endpoint is package-aligned but no checksum or signature verification is present.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install / postinstall
Impact
Potential execution of unverified release binary if upstream release or transport target is compromised
Mechanism
download and install native editor binary
Attack narrative
On postinstall, install.js removes the packaged bin/xei, downloads a gzip-compressed platform binary from the stremtec/xei GitHub release, writes it to bin/xei, and marks it executable. This is aligned with distributing a Rust CLI editor, but the installed executable is fetched without integrity verification.
Rationale
Static inspection does not show credential theft, exfiltration, persistence, or destructive behavior beyond package-aligned editor functionality. The package should be warned rather than blocked because its install-time network native-binary replacement lacks integrity verification.
Evidence
package.jsoninstall.jsbin/xeiREADME.md
Network endpoints1
github.com/stremtec/xei/releases/download/v0.2.1/xei-${target}${EXE}.gz

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.js
  • install.js performs install-time HTTPS download from GitHub releases
  • install.js deletes and rewrites bin/xei, then chmods it executable
  • bin/xei is a native Mach-O arm64 executable
Evidence against
  • install.js downloads from package-aligned github.com/stremtec/xei release path
  • No process.env, credential, npmrc, ssh, or secret harvesting found by source grep
  • No child_process, eval, vm, or dynamic require beyond fs in install.js
  • README describes xei as a terminal editor and documents local file editing features
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.78 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/xeiView file
path = bin/xei kind = native_binary sizeBytes = 989520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/xeiView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings