registry  /  xei-editor  /  0.2.6

xei-editor@0.2.6

xei (晴) — a modern Vim-like terminal editor in Rust

AI Security Review

scanned 8h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package has an install-time native binary downloader for its declared xei CLI.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; later user invocation of xei
Impact
Installs or replaces package-local bin/xei; no evidence of exfiltration, persistence, destructive behavior, or agent control hijack.
Mechanism
package-aligned release binary download and chmod
Rationale
The scanner-relevant lifecycle and network behavior are real, but source inspection shows they are limited to package-owned native CLI installation from the package's GitHub release. No concrete attack behavior or unauthorized lifecycle mutation outside the package was found.
Evidence
package.jsoninstall.jsbin/xei
Network endpoints2
github.com/stremtec/xei/releases/download/v0.2.6/xei-${target}${EXE}.gzgit+https://github.com/stremtec/xei.git

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.js
  • install.js deletes existing bin/xei, downloads gzip binary from GitHub releases, writes bin/xei, and chmods it
  • Package includes a native Mach-O arm64 executable at bin/xei
Evidence against
  • install.js writes only inside the package bin directory and does not touch home, project, shell startup, VCS hooks, or AI-agent control surfaces
  • Network endpoint is package-aligned: github.com/stremtec/xei release asset for VERSION v0.2.6
  • No source evidence of credential/env harvesting, persistence, destructive actions, eval/vm, shell execution, or suspicious child_process use
  • Declared bin maps xei to bin/xei, matching the installer purpose
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.78 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/xeiView file
path = bin/xei kind = native_binary sizeBytes = 989520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/xeiView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings