VYPR

npm · Malicious package advisory

Malware

@immobiliarelabs/backstage-plugin-ldap-auth-backend

MAL-2026-6529

Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth-backend (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (dbe41ed7d4257171c43c1047d7fde036575b57305b26d18cec61d1f1a20d33b1)
The package ships a binding.gyp at the package root containing GYP command-expansion syntax (`<!(...)`) in its sources/targets configuration (binding.gyp line 6). npm implicitly runs `node-gyp rebuild` whenever a binding.gyp is present — even with no declared install/postinstall script — and node-gyp evaluates `<!(...)` as a shell command during the configure step. This causes the embedded command to execute on the installing developer's or build system's machine on a default `npm install`, functionally equivalent to a malicious lifecycle hook. The package presents itself as a Backstage LDAP auth backend plugin, which has no legitimate need for a native build step or shell expansion in its build configuration. Stage-1 contextual tracing of the package contents was withheld by the model provider's safety filter, which engages specifically on content that reads as operational malware — a corroborating signal alongside the binding.gyp command-expansion finding.

Compromised versions (5)

  • 3.0.2
  • 2.0.5
  • 1.1.3
  • 5.2.1
  • 4.3.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.