registry  /  xei-editor  /  0.2.8

xei-editor@0.2.8

xei (晴) — a modern Vim-like terminal editor in Rust

AI Security Review

scanned 8h ago · by lpm-firewall-ai

No concrete malicious behavior was confirmed, but install-time remote executable replacement creates unresolved supply-chain risk. The runtime binary appears to be a Vim-like terminal editor with user-invoked file operations.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; user runs xei CLI
Impact
A compromised release/download path could replace the executable installed as bin/xei; no source evidence of active malware was found.
Mechanism
install-time GitHub release binary download and chmod
Attack narrative
During npm postinstall, install.js selects an OS/CPU target, downloads a gzipped xei binary from the package's GitHub releases, decompresses it into bin/xei, and chmods it executable. This is package-aligned but lacks integrity verification, so it is a warning-level staged executable delivery risk rather than confirmed malware.
Rationale
Static inspection found an install-time native binary downloader with no hash verification, but the endpoint and behavior are aligned with the declared Rust terminal editor and no exfiltration, persistence, AI-agent hijack, or destructive install behavior was found. Warn rather than block due unresolved install-time binary supply-chain risk.
Evidence
package.jsoninstall.jsbin/xeiREADME.md
Network endpoints1
github.com/stremtec/xei/releases/download/v0.2.8/xei-<target>.gz

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • package.json runs postinstall: node install.js
  • install.js downloads a gzip executable from github.com/stremtec/xei releases at install time
  • install.js unlinks and rewrites bin/xei without an integrity/hash check
  • Package ships native binary bin/xei
Evidence against
  • install.js download URL is package-aligned with repository/version v0.2.8
  • No credential/env harvesting or exfiltration found in install.js or binary strings
  • No AI-agent control-surface writes found
  • README and binary strings match a terminal editor with user-invoked save/delete/terminal features
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.75 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/xeiView file
path = bin/xei kind = native_binary sizeBytes = 989520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/xeiView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings