MAL-2026-6529
Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth-backend (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (dbe41ed7d4257171c43c1047d7fde036575b57305b26d18cec61d1f1a20d33b1) The package ships a binding.gyp at the package root containing GYP command-expansion syntax (`<!(...)`) in its sources/targets configuration (binding.gyp line 6). npm implicitly runs `node-gyp rebuild` whenever a binding.gyp is present — even with no declared install/postinstall script — and node-gyp evaluates `<!(...)` as a shell command during the configure step. This causes the embedded command to execute on the installing developer's or build system's machine on a default `npm install`, functionally equivalent to a malicious lifecycle hook. The package presents itself as a Backstage LDAP auth backend plugin, which has no legitimate need for a native build step or shell expansion in its build configuration. Stage-1 contextual tracing of the package contents was withheld by the model provider's safety filter, which engages specifically on content that reads as operational malware — a corroborating signal alongside the binding.gyp command-expansion finding.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @immobiliarelabs/backstage-plugin-ldap-auth-backend (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth-backend/v/3.0.2 [PACKAGE]
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth-backend/v/2.0.5 [PACKAGE]
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth-backend/v/1.1.3 [PACKAGE]
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth-backend/v/5.2.1 [PACKAGE]
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth-backend/v/4.3.2 [PACKAGE]