VYPR

npm · Malicious package advisory

Malware

@immobiliarelabs/backstage-plugin-ldap-auth

MAL-2026-6528

Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e447b204a3dbe39ad2390ad721dfc14f32b64e2c27d8b4efaf99a27e9cde7b92)
The package ships a binding.gyp at the tarball root that contains GYP command-expansion syntax (<!(...) / <!@(...)) in its sources/targets configuration (binding.gyp line 6). npm implicitly invokes node-gyp rebuild whenever a binding.gyp is present — even with no declared install/postinstall script — and node-gyp evaluates <!(...) as a shell command during the configure step. This causes attacker-controlled shell to execute on the installer's machine on a default `npm install`, equivalent to a postinstall lifecycle hook. The package presents itself as an LDAP auth plugin for Backstage, a pure-JavaScript role for which a native addon (and thus a binding.gyp performing shell expansion) is not warranted. The traced content additionally tripped the model safety filter on output, corroborating the malicious shape of the embedded command. Installer impact: arbitrary code execution under the user running `npm install`, before any application code is invoked.

Compromised versions (5)

  • 3.0.2
  • 2.0.5
  • 4.3.2
  • 5.2.1
  • 1.1.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.