registry  /  dbbackuper  /  1.2.9

dbbackuper@1.2.9

You can backup your database easily using this module

AI Security Review

scanned 18h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package performs user-invoked database backup and restore operations with expected local file and database mutation for that purpose.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User imports/calls exported function with database credentials, path, and download/upload mode.
Impact
Can modify local project files and database contents during explicit restore modes, but no unconsented install/import-time behavior was found.
Mechanism
Database backup/restore library with local zip extraction/creation and SQL schema/data operations.
Rationale
Static inspection shows dangerous primitives are aligned with an explicit database backup/restore package and are activated by user-provided runtime config, not install/import-time code. No exfiltration, remote code execution, persistence, or agent control-surface mutation was found.
Evidence
package.jsonindex.jsfunctions.jsfilefunctions.jscreatebackup.jsupload.jsuploaddata.jslinks.jsbackupfiles/user-provided output zip pathuser-provided input zip pathOld_files* in application root during full restore

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json declares npm deps named Node built-ins fs/path/stream, but they are not lifecycle executed.
  • upload.js can move project files to Old_files and restore files from a backup archive when user calls upload mode.
  • functions.js/uploaddata.js contain DROP/TRUNCATE/DELETE helpers used for database restore modes.
Evidence against
  • package.json has no preinstall/install/postinstall hooks and main is index.js only.
  • No child_process, eval/Function, HTTP client, or exfiltration endpoints found by source search.
  • Network use is limited to user-supplied MySQL/Postgres connections for backup/restore.
  • File writes/deletes are package-aligned backup workspace/output operations or explicit restore behavior.
  • No AI-agent control-surface writes, persistence hooks, credential harvesting, or remote payload loading found.
Behavioral surface
Source
Filesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 303 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: fs, path, stream
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg
functions.jsView file
matchType = previous_version_dangerous_delta matchedPackage = dbbackuper@1.2.8 matchedIdentity = npm:ZGJiYWNrdXBlcg:1.2.8 similarity = 0.727 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

functions.jsView on unpkg

Findings

2 High3 Low
HighNode Builtin Dependency Squatpackage.json
HighPrevious Version Dangerous Deltafunctions.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings