MAL-2026-6527

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (096fc86987f4a25a5fb6572968e0c7309d71ed3e6ab16c239427de98c7d30ae7) The package ships a binding.gyp at the package root whose contents use GYP command-expansion syntax (`<!(...)`) inside its targets/sources fields. npm implicitly runs `node-gyp rebuild` whenever a binding.gyp is present — even with no declared install/postinstall script — and GYP evaluates `<!(...)` as a shell command during the configure step. The result is that `npm install @immobiliarelabs/backstage-plugin-gitlab-backend@6.13.1` causes an embedded shell command to execute on the installer machine without any explicit lifecycle hook. The package presents itself as a Backstage backend plugin (pure TypeScript/JavaScript), which has no legitimate need to ship a native-addon build descriptor; the binding.gyp's purpose is to run the embedded command at install time. the analysis of this artifact tripped the provider's malware-output safety filter, which corroborates the malicious shape of the contents. Treat as install-time remote code execution: the harmful path is automatic on a default `npm install`.