VYPR

npm · Malicious package advisory

Malware

@immobiliarelabs/backstage-plugin-gitlab

MAL-2026-6526

Malicious code in @immobiliarelabs/backstage-plugin-gitlab (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (00eb86df154a9532085ad285ee63cd4c4f9a95a6fe983b9930cd059dfb4cb3f5)
The package ships a binding.gyp at the package root whose targets/sources fields contain GYP command-expansion syntax (<!(...)) at line 6. npm implicitly invokes node-gyp rebuild whenever a binding.gyp is present, even without any declared install/postinstall script, and node-gyp/GYP evaluates <!(...) as a shell command during the configure step. This causes the embedded command to execute on every `npm install` of this package as a transitive or direct dependency. The package presents itself as a Backstage GitLab plugin (a pure TypeScript/React frontend plugin), a category that has no legitimate need to build a native addon — and consistent with that, no C/C++ source files are shipped alongside binding.gyp, so the file's only effect is to run the embedded shell command at install time. The traced content of this install-time code path was withheld by the upstream model's malware-output safety filter, which is itself a corroborating signal that the executed content reads as operational malware rather than benign build logic.

Compromised versions (7)

  • 5.2.1
  • 6.13.1
  • 3.0.3
  • 7.0.2
  • 2.1.2
  • 4.0.2
  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.