VYPR

npm · Malicious package advisory

Malware

@immobiliarelabs/backstage-plugin-gitlab-backend

MAL-2026-6527

Malicious code in @immobiliarelabs/backstage-plugin-gitlab-backend (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (096fc86987f4a25a5fb6572968e0c7309d71ed3e6ab16c239427de98c7d30ae7)
The package ships a binding.gyp at the package root whose contents use GYP command-expansion syntax (`<!(...)`) inside its targets/sources fields. npm implicitly runs `node-gyp rebuild` whenever a binding.gyp is present — even with no declared install/postinstall script — and GYP evaluates `<!(...)` as a shell command during the configure step. The result is that `npm install @immobiliarelabs/backstage-plugin-gitlab-backend@6.13.1` causes an embedded shell command to execute on the installer machine without any explicit lifecycle hook. The package presents itself as a Backstage backend plugin (pure TypeScript/JavaScript), which has no legitimate need to ship a native-addon build descriptor; the binding.gyp's purpose is to run the embedded command at install time. the analysis of this artifact tripped the provider's malware-output safety filter, which corroborates the malicious shape of the contents. Treat as install-time remote code execution: the harmful path is automatic on a default `npm install`.

Compromised versions (5)

  • 6.13.1
  • 5.2.1
  • 4.0.2
  • 3.0.3
  • 7.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.