registry  /  dbbackuper  /  1.3.6

dbbackuper@1.3.6

You can backup your database easily using this module

AI Security Review

scanned 16h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package performs user-invoked MySQL backup/restore with local zip/temp file operations.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime call to exported function with user-provided configData
Impact
Can read/write configured databases and local backup files as part of requested backup/restore behavior
Mechanism
database backup/restore and local archive extraction/creation
Rationale
Static source inspection shows package-aligned database backup functionality with no lifecycle execution, exfiltration endpoint, agent control-surface mutation, persistence, or remote code execution. The suspicious dependency names and credential aliases are explainable by a DB backup module that accepts DB credentials and uses Node built-ins/package-aligned libraries.
Evidence
package.jsonindex.jscreatebackup.jsupload.jsfilefunctions.jslinks.jsfunctions.jsgetmetadata.jsgetrows.jsuploaddata.jsvalidateUploads.js./backupfilesuser-supplied backup/output path

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks and main is index.js.
    • index.js only exports a user-invoked backup/restore function that validates supplied DB config and path.
    • Network activity is limited to user-supplied MySQL connections via mysql2 in functions.js/getmetadata.js/getrows.js/uploaddata.js.
    • File writes/deletes are package-aligned backup temp/output operations under ./backupfiles or user-supplied backup paths.
    • No child_process, shell execution, eval/vm/Function execution, or remote HTTP endpoint use found.
    • fs/path dependencies shadow Node built-ins but are security placeholder/polyfill packages and not used for install-time execution.
    Behavioral surface
    Source
    Filesystem
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 11 file(s), 304 KB of source

    Source & flagged code

    1 flagged · loading source
    package.jsonView file
    Runtime dependency names matching Node built-ins: fs, path, stream
    High
    Node Builtin Dependency Squat

    Package declares a runtime dependency whose name matches a Node built-in module.

    package.jsonView on unpkg

    Findings

    1 High3 Low
    HighNode Builtin Dependency Squatpackage.json
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings