AI Security Review
scanned 8h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Install-time code replaces/downloads the package CLI binary from the upstream GitHub release, which is package-aligned but lacks integrity verification.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install/postinstall or user running xei
Impact
Installs/executes package CLI binary; no malicious behavior confirmed by static inspection.
Mechanism
platform binary install and terminal editor CLI
Rationale
The suspicious primitives are consistent with distributing a Rust CLI editor via npm: postinstall fetches the matching release binary into the package bin directory, and static strings show editor commands rather than harvesting, persistence, or agent hijack behavior. Lack of checksum verification is a supply-chain hardening gap but not concrete malicious behavior in this package source.
Evidence
package.jsoninstall.jsbin/xeiREADME.mdbin/xei.exe
Network endpoints1
github.com/stremtec/xei/releases/download/v0.2.3/xei-${target}${EXE}.gz
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node install.js
- install.js downloads a gzipped platform binary from GitHub release without checksum verification
- Package ships native executable bin/xei
Evidence against
- install.js only targets package bin path and chmods it executable
- Network URL is package-aligned: github.com/stremtec/xei releases v0.2.3
- No credential/env harvesting, AI-agent control-surface writes, persistence hooks, or exfiltration found
- README and binary strings align with a terminal text editor
Behavioral surface
FilesystemNetwork
UrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgbin/xeiView file
•path = bin/xei
kind = native_binary
sizeBytes = 989520
magicHex = [redacted]
Medium
Findings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings