npm · Malicious package advisory
Malware@immobiliarelabs/backstage-plugin-gitlab
MAL-2026-6526
Malicious code in @immobiliarelabs/backstage-plugin-gitlab (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (00eb86df154a9532085ad285ee63cd4c4f9a95a6fe983b9930cd059dfb4cb3f5) The package ships a binding.gyp at the package root whose targets/sources fields contain GYP command-expansion syntax (<!(...)) at line 6. npm implicitly invokes node-gyp rebuild whenever a binding.gyp is present, even without any declared install/postinstall script, and node-gyp/GYP evaluates <!(...) as a shell command during the configure step. This causes the embedded command to execute on every `npm install` of this package as a transitive or direct dependency. The package presents itself as a Backstage GitLab plugin (a pure TypeScript/React frontend plugin), a category that has no legitimate need to build a native addon — and consistent with that, no C/C++ source files are shipped alongside binding.gyp, so the file's only effect is to run the embedded shell command at install time. The traced content of this install-time code path was withheld by the upstream model's malware-output safety filter, which is itself a corroborating signal that the executed content reads as operational malware rather than benign build logic.
Compromised versions (7)
- 5.2.1
- 6.13.1
- 3.0.3
- 7.0.2
- 2.1.2
- 4.0.2
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.