registry  /  xei-editor  /  0.2.3

xei-editor@0.2.3

xei (晴) — a modern Vim-like terminal editor in Rust

AI Security Review

scanned 8h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Install-time code replaces/downloads the package CLI binary from the upstream GitHub release, which is package-aligned but lacks integrity verification.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install/postinstall or user running xei
Impact
Installs/executes package CLI binary; no malicious behavior confirmed by static inspection.
Mechanism
platform binary install and terminal editor CLI
Rationale
The suspicious primitives are consistent with distributing a Rust CLI editor via npm: postinstall fetches the matching release binary into the package bin directory, and static strings show editor commands rather than harvesting, persistence, or agent hijack behavior. Lack of checksum verification is a supply-chain hardening gap but not concrete malicious behavior in this package source.
Evidence
package.jsoninstall.jsbin/xeiREADME.mdbin/xei.exe
Network endpoints1
github.com/stremtec/xei/releases/download/v0.2.3/xei-${target}${EXE}.gz

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.js
  • install.js downloads a gzipped platform binary from GitHub release without checksum verification
  • Package ships native executable bin/xei
Evidence against
  • install.js only targets package bin path and chmods it executable
  • Network URL is package-aligned: github.com/stremtec/xei releases v0.2.3
  • No credential/env harvesting, AI-agent control-surface writes, persistence hooks, or exfiltration found
  • README and binary strings align with a terminal text editor
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.78 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/xeiView file
path = bin/xei kind = native_binary sizeBytes = 989520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/xeiView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings