AI Security Review
scanned 16h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked MySQL backup/restore utility with broad but package-aligned database and filesystem effects.
Static reason
One or more suspicious static signals were detected.
Trigger
Calling the exported async function with backup/restore configuration.
Impact
Can read/write/drop configured databases and create/move/copy files during explicit backup or restore modes.
Mechanism
Database backup/restore and optional project file backup/restore.
Rationale
The suspicious built-in dependency names are noisy because the source imports Node built-ins normally and has no lifecycle execution or hidden external endpoint. Dangerous database/file operations are aligned with a backup/restore library and require user-invoked runtime configuration.
Evidence
package.jsonindex.jscreatebackup.jsupload.jsfilefunctions.jsfunctions.jslinks.jsgetmetadata.jsgetrows.jsvalidateUploads.jsuploaddata.js./backupfilesuser-supplied output pathuser-supplied zip pathapplication root during full backup/restore
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall/prepare hooks and no bin entry.
- index.js only runs when imported function is called with user config.
- Runtime network is mysql2/pg connections to user-supplied database host/port, not hardcoded exfiltration endpoints.
- createbackup.js writes backupfiles and a user-selected zip; fullBackup copies project files only under explicit backup mode.
- upload.js restores a user-provided zip and may move project files/drop databases only during explicit restore/clean operations.
- rg found no child_process, eval/Function, HTTP client, process.env harvesting, or AI-agent control-surface writes.
Behavioral surface
Filesystem
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: fs, path, stream
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High3 Low
HighNode Builtin Dependency Squatpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings