registry  /  dbbackuper  /  1.2.6

dbbackuper@1.2.6

You can backup your database easily using this module

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package provides user-invoked MySQL backup and restore behavior with local filesystem staging and caller-configured database connections.

Static reason
One or more suspicious static signals were detected.
Trigger
Caller imports the module and invokes exported function with database credentials, path, and upload/download mode.
Impact
Can read database rows into local backup files, create zip archives, and restore/move project files when explicitly requested; no evidence of unconsented exfiltration or install-time execution.
Mechanism
User-directed database backup/restore and local zip staging
Rationale
Static source inspection shows risky but package-aligned backup/restore primitives activated by explicit runtime calls, not by installation or import. The builtin-named dependencies are suspicious packaging hygiene issues, but source inspection found no concrete malicious behavior or exfiltration endpoint.
Evidence
package.jsonindex.jscreatebackup.jsupload.jsfilefunctions.jsfunctions.jslinks.js./backupfilescaller-supplied backup zip/output pathapplication root during full backup/restore
Network endpoints1
caller-supplied database host/port

Decision evidence

public snapshot
AI called this Clean at 87.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json declares deprecated/builtin-named deps fs/path/stream, a suspicious packaging signal.
  • upload.js can move project files during full restore and clean/replace database tables, but only when caller invokes upload mode.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and main is index.js.
  • index.js exports a function; no import-time backup, restore, shell, or network action found.
  • Network activity is database connections via mysql2/pg to caller-supplied host/port, aligned with backup/restore purpose.
  • createbackup.js writes local ./backupfiles and backup zip; no remote exfiltration endpoint found.
  • rg found no child_process, eval/vm/Function, dynamic remote loading, persistence, or AI-agent control-surface writes.
Behavioral surface
Source
Filesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 301 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: fs, path, stream
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High3 Low
HighNode Builtin Dependency Squatpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings