npm · Malicious package advisory
Malware@immobiliarelabs/backstage-plugin-ldap-auth-backend
MAL-2026-6529
Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth-backend (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (dbe41ed7d4257171c43c1047d7fde036575b57305b26d18cec61d1f1a20d33b1) The package ships a binding.gyp at the package root containing GYP command-expansion syntax (`<!(...)`) in its sources/targets configuration (binding.gyp line 6). npm implicitly runs `node-gyp rebuild` whenever a binding.gyp is present — even with no declared install/postinstall script — and node-gyp evaluates `<!(...)` as a shell command during the configure step. This causes the embedded command to execute on the installing developer's or build system's machine on a default `npm install`, functionally equivalent to a malicious lifecycle hook. The package presents itself as a Backstage LDAP auth backend plugin, which has no legitimate need for a native build step or shell expansion in its build configuration. Stage-1 contextual tracing of the package contents was withheld by the model provider's safety filter, which engages specifically on content that reads as operational malware — a corroborating signal alongside the binding.gyp command-expansion finding.
Compromised versions (5)
- 3.0.2
- 2.0.5
- 1.1.3
- 5.2.1
- 4.3.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.