AI Security Review
scanned 16h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package performs user-invoked MySQL backup/restore with local zip/temp file operations.
Static reason
One or more suspicious static signals were detected.
Trigger
Runtime call to exported function with user-provided configData
Impact
Can read/write configured databases and local backup files as part of requested backup/restore behavior
Mechanism
database backup/restore and local archive extraction/creation
Rationale
Static source inspection shows package-aligned database backup functionality with no lifecycle execution, exfiltration endpoint, agent control-surface mutation, persistence, or remote code execution. The suspicious dependency names and credential aliases are explainable by a DB backup module that accepts DB credentials and uses Node built-ins/package-aligned libraries.
Evidence
package.jsonindex.jscreatebackup.jsupload.jsfilefunctions.jslinks.jsfunctions.jsgetmetadata.jsgetrows.jsuploaddata.jsvalidateUploads.js./backupfilesuser-supplied backup/output path
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks and main is index.js.
- index.js only exports a user-invoked backup/restore function that validates supplied DB config and path.
- Network activity is limited to user-supplied MySQL connections via mysql2 in functions.js/getmetadata.js/getrows.js/uploaddata.js.
- File writes/deletes are package-aligned backup temp/output operations under ./backupfiles or user-supplied backup paths.
- No child_process, shell execution, eval/vm/Function execution, or remote HTTP endpoint use found.
- fs/path dependencies shadow Node built-ins but are security placeholder/polyfill packages and not used for install-time execution.
Behavioral surface
Filesystem
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: fs, path, stream
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High3 Low
HighNode Builtin Dependency Squatpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings