registry  /  xei-editor  /  0.2.4

xei-editor@0.2.4

xei (晴) — a modern Vim-like terminal editor in Rust

AI Security Review

scanned 8h ago · by lpm-firewall-ai

The package has an install-time native binary refresh path. The observed behavior is package-aligned but downloads executable content without integrity verification.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install or xei CLI execution
Impact
Installs and executes a package-local terminal editor binary; compromise of the release asset path could affect installed code.
Mechanism
postinstall remote native binary download
Rationale
Source inspection found a package-aligned native editor installer, not concrete malware or unconsented foreign agent/persistence mutation. The unresolved risk is install-time executable download without checksum verification, so warn rather than block.
Evidence
package.jsoninstall.jsbin/xeiREADME.md~/.xei.toml
Network endpoints1
github.com/stremtec/xei/releases/download/v0.2.4/xei-${target}${EXE}.gz

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • package.json runs postinstall: node install.js
  • install.js downloads a platform gzip executable from github.com/stremtec/xei releases
  • install.js writes and chmods bin/xei during install without checksum verification
  • package ships bin/xei as a native Mach-O arm64 executable
Evidence against
  • install.js only targets package-local bin/xei and supported OS/CPU tuples
  • No credential/env harvesting, shell execution, persistence, or agent control-surface writes found
  • README describes a Vim-like terminal editor and documented file-editing commands
  • Binary strings align with editor UI, syntax highlighting, themes, and ~/.xei.toml config
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.78 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/xeiView file
path = bin/xei kind = native_binary sizeBytes = 989520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/xeiView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings