registry  /  xei-editor  /  0.3.0

xei-editor@0.3.0

xei (晴) — a modern Vim-like terminal editor in Rust

AI Security Review

scanned 8h ago · by lpm-firewall-ai

The package has an install-time executable replacement path: postinstall fetches a platform binary and installs it as bin/xei. This is package-aligned but lacks integrity verification, leaving supply-chain risk without confirmed malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install / postinstall
Impact
Runs a downloaded terminal editor binary when user invokes xei; install can replace the packaged binary with remote release content.
Mechanism
install-time native binary download and chmod
Attack narrative
On installation, npm runs install.js, which removes the existing bin/xei, downloads a platform-specific gzipped executable from the project's GitHub release, decompresses it into bin/xei, and marks it executable. The behavior is consistent with distributing a Rust CLI editor, but the remote binary is not checksum-verified.
Rationale
Static inspection found a real install-time native binary download with no integrity check, which is risky enough to warn but remains package-aligned and lacks concrete malicious actions. No exfiltration, persistence, AI-agent hijack, or unrelated network/control behavior was found.
Evidence
package.jsoninstall.jsbin/xeiREADME.md
Network endpoints1
github.com/stremtec/xei/releases/download/v0.3.0/xei-${target}${EXE}.gz

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.js
  • install.js downloads a gzipped executable during install from GitHub releases and writes bin/xei
  • install.js follows redirects and does not verify checksum/signature before chmod 755
  • Package also ships native Mach-O executable at bin/xei
Evidence against
  • Download URL is package-aligned: github.com/stremtec/xei releases v0.3.0
  • README documents xei as a Rust terminal editor and bin/xei strings match editor commands/themes
  • No evidence of credential harvesting, AI-agent control-surface writes, persistence hooks, or destructive install behavior
  • Only network endpoint found in install code is the package release host
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.75 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/xeiView file
path = bin/xei kind = native_binary sizeBytes = 989520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/xeiView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings