registry  /  dbbackuper  /  1.2.7

dbbackuper@1.2.7

You can backup your database easily using this module

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package performs database backup/restore and optional full application-file backup/restore when called by the user.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports index.js and calls the exported async function with DB credentials, path, and upload/download mode.
Impact
Can create backup zip files, write backupfiles staging data, restore database rows/schema, and move/replace application files during full restore; no evidence of unconsented exfiltration or install-time execution.
Mechanism
User-directed MySQL backup/restore with local zip and filesystem staging
Rationale
Static inspection shows risky but package-aligned backup/restore primitives, including local file copying/deletion and DB table/row changes, only behind explicit runtime calls. There is no install-time execution, credential harvesting, external exfiltration endpoint, shell execution, or hidden payload to justify a malicious or warn verdict.
Evidence
package.jsonindex.jscreatebackup.jsupload.jsfilefunctions.jsfunctions.jsgetmetadata.jsgetrows.jsuploaddata.jsvalidateUploads.jslinks.jscheckdiskspace.js./backupfiles./backupfiles/backup./backupfiles/backup/database./backupfiles/backup/database/files./backupfiles/backup/programfiles<caller output path>/backup_*_by_dbbackuper.zip<application root>/Old_files*

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json declares runtime deps on Node built-in names fs/path/stream, but fs is the npm security placeholder and imports use built-ins.
  • upload.js can move application-root files to Old_files and restore programfiles from a user-supplied backup zip when upload/full backup data is invoked.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and main is index.js.
  • No child_process, eval, Function, shell downloaders, or opaque encoded payloads found by source search.
  • No runtime exfiltration endpoints; only funding/social URLs appear in package.json/README.
  • Database credentials are consumed from caller config for MySQL/PG connections, not harvested from env or local credential files.
  • Backup/restore file and DB operations are user-invoked and aligned with the package purpose.
Behavioral surface
Source
Filesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 299 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: fs, path, stream
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High3 Low
HighNode Builtin Dependency Squatpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings