registry  /  xei-editor  /  3.0.4

xei-editor@3.0.4

xei (晴) — a modern Vim-modal terminal editor in Rust

AI Security Review

scanned 2h ago · by lpm-firewall-ai

npm postinstall replaces the bundled CLI with a remotely fetched executable. The fetch is package-aligned but integrity is not verified.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation; later explicit xei invocation
Impact
A compromised release artifact could become the installed CLI.
Mechanism
postinstall HTTPS binary downloader
Rationale
Source inspection confirms an unverified install-time executable fetch, creating a concrete supply-chain risk. No source evidence establishes malicious theft, persistence, destructive behavior, or foreign AI-agent control-surface mutation.
Evidence
package.jsoninstall.jsbin/xeiREADME.md
Network endpoints1
github.com/stremtec/xei/releases/download/v3.0.4/xei-<target>.gz

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json invokes install.js as postinstall.
  • install.js deletes bin/xei and downloads a replacement executable.
  • The replacement binary has no checksum or signature validation in source.
Evidence against
  • Download URL is fixed to v3.0.4 under stated stremtec/xei repository.
  • Installer does not execute fetched binary or access credentials.
  • No AI-agent configuration writes, exfiltration, or destructive behavior found.
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.76 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/xeiView file
path = bin/xei kind = native_binary sizeBytes = 989520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/xeiView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings