registry  /  dbbackuper  /  1.4.1

dbbackuper@1.4.1

You can backup your database easily using this module

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked database backup/restore utility with local filesystem writes and database operations aligned to its stated purpose.

Static reason
One or more suspicious static signals were detected.
Trigger
Calling the exported async function with database credentials and path/workmode config
Impact
Can read/write backup files and modify/drop target database contents during requested restore modes, but no stealth install-time behavior or exfiltration was found.
Mechanism
MySQL backup/restore and local zip/archive file operations
Rationale
Static inspection shows risky primitives are package-aligned backup/restore behavior activated by user calls, with no lifecycle execution, covert network endpoint, credential harvesting, persistence, or AI-agent control-surface mutation. Built-in-named dependencies in package.json are suspicious metadata but not evidence of malicious package code here.
Evidence
package.jsonindex.jscreatebackup.jsupload.jsfilefunctions.jsfunctions.jslinks.js./backupfiles./backupfiles/backup./backupfiles/backup/database./backupfiles/backup/programfilesuser-supplied .zip output/input pathapplication root during full backup/restore

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks and main is index.js
    • index.js only runs when exported function is called with user config
    • DB password aliases are used to build mysql connection config, not harvested or exfiltrated
    • createbackup.js writes local backupfiles and user-selected zip output for backup behavior
    • upload.js can restore/drop DB data only during explicit upload/clean restore workflow
    • No child_process, eval, remote fetch, agent control-surface writes, or hardcoded exfil endpoint found
    Behavioral surface
    Source
    Filesystem
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 11 file(s), 304 KB of source

    Source & flagged code

    1 flagged · loading source
    package.jsonView file
    Runtime dependency names matching Node built-ins: fs, path, stream
    High
    Node Builtin Dependency Squat

    Package declares a runtime dependency whose name matches a Node built-in module.

    package.jsonView on unpkg

    Findings

    1 High3 Low
    HighNode Builtin Dependency Squatpackage.json
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings