MAL-2026-6527: Malicious code in @immobiliarelabs/backstage-plugin-gitlab-backend (npm)
The npm package @immobiliarelabs/backstage-plugin-gitlab-backend contains malicious code embedded in its binding.gyp file. This file uses GYP command-expansion syntax to execute shell commands automatically during npm install via node-gyp rebuild, without any explicit install or postinstall scripts. The package masquerades as a Backstage backend plugin but includes a native-addon build descriptor solely to trigger remote code execution on the installer's machine. Multiple specific versions are affected, and the malicious behavior occurs automatically on default installation.
AI Analysis
Technical Summary
The @immobiliarelabs/backstage-plugin-gitlab-backend npm package versions 3.0.3, 4.0.2, 5.2.1, 6.13.1, and 7.0.2 include a binding.gyp file that leverages GYP command-expansion syntax (<!(...)) in its targets/sources fields. npm runs node-gyp rebuild automatically when binding.gyp is present, causing the embedded shell command to execute during the configure step without any declared lifecycle scripts. This results in install-time remote code execution on the machine performing npm install. The package falsely presents as a pure TypeScript/JavaScript Backstage backend plugin, which should not require native build descriptors, indicating the binding.gyp is maliciously crafted to execute code.
Potential Impact
Installing any of the affected versions of this package results in automatic execution of arbitrary shell commands on the installer's machine during npm install. This constitutes install-time remote code execution, potentially allowing attackers to run malicious code with the privileges of the user performing the installation.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing the affected versions (=3.0.3, =4.0.2, =5.2.1, =6.13.1, =7.0.2) of @immobiliarelabs/backstage-plugin-gitlab-backend. Verify package integrity and source before installation. Monitor vendor advisories for updates or official fixes. Since this is not a cloud service, remediation depends on avoiding or removing the malicious package from environments.
MAL-2026-6527: Malicious code in @immobiliarelabs/backstage-plugin-gitlab-backend (npm)
Description
The npm package @immobiliarelabs/backstage-plugin-gitlab-backend contains malicious code embedded in its binding.gyp file. This file uses GYP command-expansion syntax to execute shell commands automatically during npm install via node-gyp rebuild, without any explicit install or postinstall scripts. The package masquerades as a Backstage backend plugin but includes a native-addon build descriptor solely to trigger remote code execution on the installer's machine. Multiple specific versions are affected, and the malicious behavior occurs automatically on default installation.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The @immobiliarelabs/backstage-plugin-gitlab-backend npm package versions 3.0.3, 4.0.2, 5.2.1, 6.13.1, and 7.0.2 include a binding.gyp file that leverages GYP command-expansion syntax (<!(...)) in its targets/sources fields. npm runs node-gyp rebuild automatically when binding.gyp is present, causing the embedded shell command to execute during the configure step without any declared lifecycle scripts. This results in install-time remote code execution on the machine performing npm install. The package falsely presents as a pure TypeScript/JavaScript Backstage backend plugin, which should not require native build descriptors, indicating the binding.gyp is maliciously crafted to execute code.
Potential Impact
Installing any of the affected versions of this package results in automatic execution of arbitrary shell commands on the installer's machine during npm install. This constitutes install-time remote code execution, potentially allowing attackers to run malicious code with the privileges of the user performing the installation.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing the affected versions (=3.0.3, =4.0.2, =5.2.1, =6.13.1, =7.0.2) of @immobiliarelabs/backstage-plugin-gitlab-backend. Verify package integrity and source before installation. Monitor vendor advisories for updates or official fixes. Since this is not a cloud service, remediation depends on avoiding or removing the malicious package from environments.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6527
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef79627e9c79719ff9a70
Added to database: 06/26/2026, 22:05:10 UTC
Last enriched: 06/26/2026, 22:20:13 UTC
Last updated: 06/26/2026, 22:20:13 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.