registry  /  xei-editor  /  0.5.0

xei-editor@0.5.0

xei (晴) — a modern Vim-like terminal editor in Rust

AI Security Review

scanned 8h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The install hook replaces bin/xei with a release asset from the declared upstream repository, and runtime behavior appears aligned with a Vim-like terminal editor.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user later runs xei
Impact
Installs/updates package CLI binary; editor can read/write/delete files only through user-invoked editor commands
Mechanism
package-aligned binary downloader and terminal editor executable
Rationale
The lifecycle network/download behavior is risky packaging practice but is limited to the package-owned CLI binary and points at the declared upstream release. Static inspection found no exfiltration, persistence, foreign agent control-surface writes, or concrete malicious behavior.
Evidence
package.jsoninstall.jsREADME.mdbin/xei~/.xei.toml
Network endpoints1
github.com/stremtec/xei/releases/download/v0.5.0/xei-${target}${EXE}.gz

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.js
  • install.js downloads and gunzips a platform binary from GitHub releases without checksum verification
  • bin/xei is a shipped Mach-O executable with file/process imports
Evidence against
  • install.js only targets package bin/xei, creating bin/ and chmodding the downloaded executable
  • Network endpoint is package-aligned: github.com/stremtec/xei releases for v0.5.0
  • No credential/env harvesting, AI-agent control-surface writes, persistence, or suspicious lifecycle mutation found
  • Binary strings match a terminal editor: xei commands, themes, ~/.xei.toml, file open/save/delete UI, built-in terminal strings
  • README documents the editor CLI behavior, config path, and installer usage
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.75 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/xeiView file
path = bin/xei kind = native_binary sizeBytes = 989520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/xeiView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings