AI Security Review
scanned 8h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package has an install-time native binary downloader for its declared xei CLI.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; later user invocation of xei
Impact
Installs or replaces package-local bin/xei; no evidence of exfiltration, persistence, destructive behavior, or agent control hijack.
Mechanism
package-aligned release binary download and chmod
Rationale
The scanner-relevant lifecycle and network behavior are real, but source inspection shows they are limited to package-owned native CLI installation from the package's GitHub release. No concrete attack behavior or unauthorized lifecycle mutation outside the package was found.
Evidence
package.jsoninstall.jsbin/xei
Network endpoints2
github.com/stremtec/xei/releases/download/v0.2.6/xei-${target}${EXE}.gzgit+https://github.com/stremtec/xei.git
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node install.js
- install.js deletes existing bin/xei, downloads gzip binary from GitHub releases, writes bin/xei, and chmods it
- Package includes a native Mach-O arm64 executable at bin/xei
Evidence against
- install.js writes only inside the package bin directory and does not touch home, project, shell startup, VCS hooks, or AI-agent control surfaces
- Network endpoint is package-aligned: github.com/stremtec/xei release asset for VERSION v0.2.6
- No source evidence of credential/env harvesting, persistence, destructive actions, eval/vm, shell execution, or suspicious child_process use
- Declared bin maps xei to bin/xei, matching the installer purpose
Behavioral surface
FilesystemNetwork
UrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgbin/xeiView file
•path = bin/xei
kind = native_binary
sizeBytes = 989520
magicHex = [redacted]
Medium
Findings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings