registry  /  dbbackuper  /  1.3.5

dbbackuper@1.3.5

You can backup your database easily using this module

AI Security Review

scanned 16h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked MySQL backup/restore utility with broad but package-aligned database and filesystem effects.

Static reason
One or more suspicious static signals were detected.
Trigger
Calling the exported async function with backup/restore configuration.
Impact
Can read/write/drop configured databases and create/move/copy files during explicit backup or restore modes.
Mechanism
Database backup/restore and optional project file backup/restore.
Rationale
The suspicious built-in dependency names are noisy because the source imports Node built-ins normally and has no lifecycle execution or hidden external endpoint. Dangerous database/file operations are aligned with a backup/restore library and require user-invoked runtime configuration.
Evidence
package.jsonindex.jscreatebackup.jsupload.jsfilefunctions.jsfunctions.jslinks.jsgetmetadata.jsgetrows.jsvalidateUploads.jsuploaddata.js./backupfilesuser-supplied output pathuser-supplied zip pathapplication root during full backup/restore

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall/prepare hooks and no bin entry.
    • index.js only runs when imported function is called with user config.
    • Runtime network is mysql2/pg connections to user-supplied database host/port, not hardcoded exfiltration endpoints.
    • createbackup.js writes backupfiles and a user-selected zip; fullBackup copies project files only under explicit backup mode.
    • upload.js restores a user-provided zip and may move project files/drop databases only during explicit restore/clean operations.
    • rg found no child_process, eval/Function, HTTP client, process.env harvesting, or AI-agent control-surface writes.
    Behavioral surface
    Source
    Filesystem
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 11 file(s), 304 KB of source

    Source & flagged code

    1 flagged · loading source
    package.jsonView file
    Runtime dependency names matching Node built-ins: fs, path, stream
    High
    Node Builtin Dependency Squat

    Package declares a runtime dependency whose name matches a Node built-in module.

    package.jsonView on unpkg

    Findings

    1 High3 Low
    HighNode Builtin Dependency Squatpackage.json
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings