AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked database backup/restore utility with local filesystem writes and database operations aligned to its stated purpose.
Static reason
One or more suspicious static signals were detected.
Trigger
Calling the exported async function with database credentials and path/workmode config
Impact
Can read/write backup files and modify/drop target database contents during requested restore modes, but no stealth install-time behavior or exfiltration was found.
Mechanism
MySQL backup/restore and local zip/archive file operations
Rationale
Static inspection shows risky primitives are package-aligned backup/restore behavior activated by user calls, with no lifecycle execution, covert network endpoint, credential harvesting, persistence, or AI-agent control-surface mutation. Built-in-named dependencies in package.json are suspicious metadata but not evidence of malicious package code here.
Evidence
package.jsonindex.jscreatebackup.jsupload.jsfilefunctions.jsfunctions.jslinks.js./backupfiles./backupfiles/backup./backupfiles/backup/database./backupfiles/backup/programfilesuser-supplied .zip output/input pathapplication root during full backup/restore
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks and main is index.js
- index.js only runs when exported function is called with user config
- DB password aliases are used to build mysql connection config, not harvested or exfiltrated
- createbackup.js writes local backupfiles and user-selected zip output for backup behavior
- upload.js can restore/drop DB data only during explicit upload/clean restore workflow
- No child_process, eval, remote fetch, agent control-surface writes, or hardcoded exfil endpoint found
Behavioral surface
Filesystem
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: fs, path, stream
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High3 Low
HighNode Builtin Dependency Squatpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings