MAL-2026-6528
Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (e447b204a3dbe39ad2390ad721dfc14f32b64e2c27d8b4efaf99a27e9cde7b92) The package ships a binding.gyp at the tarball root that contains GYP command-expansion syntax (<!(...) / <!@(...)) in its sources/targets configuration (binding.gyp line 6). npm implicitly invokes node-gyp rebuild whenever a binding.gyp is present — even with no declared install/postinstall script — and node-gyp evaluates <!(...) as a shell command during the configure step. This causes attacker-controlled shell to execute on the installer's machine on a default `npm install`, equivalent to a postinstall lifecycle hook. The package presents itself as an LDAP auth plugin for Backstage, a pure-JavaScript role for which a native addon (and thus a binding.gyp performing shell expansion) is not warranted. The traced content additionally tripped the model safety filter on output, corroborating the malicious shape of the embedded command. Installer impact: arbitrary code execution under the user running `npm install`, before any application code is invoked.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @immobiliarelabs/backstage-plugin-ldap-auth (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth/v/3.0.2 [PACKAGE]
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth/v/2.0.5 [PACKAGE]
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth/v/4.3.2 [PACKAGE]
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth/v/5.2.1 [PACKAGE]
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth/v/1.1.4 [PACKAGE]