AI Security Review
scanned 17h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package performs user-invoked database backup and restore operations with expected file and database mutation for that purpose.
Static reason
One or more suspicious static signals were detected.
Trigger
Runtime call to exported dbbackuper(configData)
Impact
Can write backup archives, use temporary ./backupfiles data, and restore/replace database or project files when explicitly configured.
Mechanism
database backup/restore and zip file handling
Rationale
Static inspection shows a database backup/restore library with dangerous but package-aligned, user-invoked filesystem and database operations. The dependency names matching Node built-ins are suspicious packaging hygiene, but source behavior does not show install-time execution, exfiltration, persistence, or control-surface hijacking.
Evidence
package.jsonindex.jsfunctions.jsfilefunctions.jscreatebackup.jsupload.jslinks.js./backupfiles./backupfiles/backup./backupfiles/backup/database./backupfiles/backup/database/files./backupfiles/backup/programfiles
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json declares dependencies named fs/path/stream, but source requires Node built-ins normally.
- upload.js can move/replace project files and clear database rows during explicit restore modes.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks or bin entry.
- index.js exports a user-invoked function; no import-time backup, upload, shell, or network action.
- Network use is limited to user-supplied MySQL/PostgreSQL database connections in functions.js/index.js.
- File writes/deletes are backup/restore-aligned under ./backupfiles, output zip paths, and explicit full-restore handling.
- No child_process, eval/vm/Function, remote payload loading, credential exfiltration, persistence, or AI-agent control-surface writes found.
Behavioral surface
Filesystem
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: fs, path, stream
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High3 Low
HighNode Builtin Dependency Squatpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings