npm · Malicious package advisory
Malware@immobiliarelabs/backstage-plugin-gitlab-backend
MAL-2026-6527
Malicious code in @immobiliarelabs/backstage-plugin-gitlab-backend (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (096fc86987f4a25a5fb6572968e0c7309d71ed3e6ab16c239427de98c7d30ae7) The package ships a binding.gyp at the package root whose contents use GYP command-expansion syntax (`<!(...)`) inside its targets/sources fields. npm implicitly runs `node-gyp rebuild` whenever a binding.gyp is present — even with no declared install/postinstall script — and GYP evaluates `<!(...)` as a shell command during the configure step. The result is that `npm install @immobiliarelabs/backstage-plugin-gitlab-backend@6.13.1` causes an embedded shell command to execute on the installer machine without any explicit lifecycle hook. The package presents itself as a Backstage backend plugin (pure TypeScript/JavaScript), which has no legitimate need to ship a native-addon build descriptor; the binding.gyp's purpose is to run the embedded command at install time. the analysis of this artifact tripped the provider's malware-output safety filter, which corroborates the malicious shape of the contents. Treat as install-time remote code execution: the harmful path is automatic on a default `npm install`.
Compromised versions (5)
- 6.13.1
- 5.2.1
- 4.0.2
- 3.0.3
- 7.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.