registry  /  dbbackuper  /  1.2.8

dbbackuper@1.2.8

You can backup your database easily using this module

AI Security Review

scanned 20h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a user-invoked database backup/restore library with broad but package-aligned filesystem and database mutation behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime call to exported function with database credentials and backup/restore options.
Impact
Can read database contents into backup files and can overwrite/drop database tables or move application files during restore when explicitly invoked.
Mechanism
User-invoked database backup/restore and optional full application file backup/restore.
Rationale
The suspicious primitives are consistent with a backup/restore package and require runtime invocation with user-supplied config. I found no install-time execution, credential exfiltration, remote payload loading, persistence, or unconsented AI-agent/control-surface mutation.
Evidence
package.jsonindex.jscreatebackup.jsupload.jsfilefunctions.jsfunctions.jsuploaddata.jslinks.js./backupfiles./backupfiles/backup/database./backupfiles/backup/programfilesuser-provided output pathuser-provided zip pathapplication root during full backup/restore

Decision evidence

public snapshot
AI called this Clean at 87.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json declares runtime deps named fs/path/stream, but source imports Node builtins by those names.
  • upload.js can restore files into the application root when a user supplies a full backup zip.
  • functions.js/uploaddata.js include database DROP/DELETE/ALTER/INSERT/UPDATE helpers for restore modes.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks or bin entry.
  • index.js only runs backup/restore after exported function is called with configData.
  • No fetch/HTTP client, hardcoded exfiltration endpoint, child_process, eval, or AI-agent control-surface writes found.
  • Network activity is limited to user-configured MySQL/Postgres connections via mysql2/pg.
  • File writes are package-aligned backup temp/output paths and user-selected restore/backup paths.
Behavioral surface
Source
Filesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 302 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: fs, path, stream
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High3 Low
HighNode Builtin Dependency Squatpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings