MAL-2026-6528: Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth (npm)
The npm package @immobiliarelabs/backstage-plugin-ldap-auth contains malicious code embedded in its binding.gyp file. This file uses GYP command-expansion syntax that causes node-gyp to execute attacker-controlled shell commands during installation, leading to arbitrary code execution under the user running npm install. The package masquerades as an LDAP authentication plugin for Backstage but includes unnecessary native addon build steps that enable this malicious behavior. Multiple specific versions of the package are affected.
AI Analysis
Technical Summary
The @immobiliarelabs/backstage-plugin-ldap-auth npm package includes a binding.gyp file at the tarball root that uses GYP command-expansion syntax (<!(...) / <!@(...)) in its sources/targets configuration. npm triggers node-gyp rebuild automatically when binding.gyp is present, causing node-gyp to execute shell commands embedded in the binding.gyp during the configure step. This results in arbitrary code execution on the installer's machine at install time, equivalent to a postinstall lifecycle hook. The package falsely presents as a pure JavaScript LDAP auth plugin for Backstage, for which a native addon is unnecessary, indicating malicious intent. The affected versions explicitly include 1.1.4, 2.0.5, 3.0.2, 4.3.2, and 5.2.1.
Potential Impact
An attacker can achieve arbitrary code execution on the system of any user who installs the affected package versions. This occurs during the npm install process before any application code runs, allowing execution of shell commands with the privileges of the installing user. This can lead to system compromise, data theft, or further malware installation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fixed version is available, avoid installing or updating to the affected versions of @immobiliarelabs/backstage-plugin-ldap-auth. Consider auditing your dependency tree for this package and removing or replacing it if found. Monitor official sources for updates or patches addressing this malicious package.
MAL-2026-6528: Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth (npm)
Description
The npm package @immobiliarelabs/backstage-plugin-ldap-auth contains malicious code embedded in its binding.gyp file. This file uses GYP command-expansion syntax that causes node-gyp to execute attacker-controlled shell commands during installation, leading to arbitrary code execution under the user running npm install. The package masquerades as an LDAP authentication plugin for Backstage but includes unnecessary native addon build steps that enable this malicious behavior. Multiple specific versions of the package are affected.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The @immobiliarelabs/backstage-plugin-ldap-auth npm package includes a binding.gyp file at the tarball root that uses GYP command-expansion syntax (<!(...) / <!@(...)) in its sources/targets configuration. npm triggers node-gyp rebuild automatically when binding.gyp is present, causing node-gyp to execute shell commands embedded in the binding.gyp during the configure step. This results in arbitrary code execution on the installer's machine at install time, equivalent to a postinstall lifecycle hook. The package falsely presents as a pure JavaScript LDAP auth plugin for Backstage, for which a native addon is unnecessary, indicating malicious intent. The affected versions explicitly include 1.1.4, 2.0.5, 3.0.2, 4.3.2, and 5.2.1.
Potential Impact
An attacker can achieve arbitrary code execution on the system of any user who installs the affected package versions. This occurs during the npm install process before any application code runs, allowing execution of shell commands with the privileges of the installing user. This can lead to system compromise, data theft, or further malware installation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fixed version is available, avoid installing or updating to the affected versions of @immobiliarelabs/backstage-plugin-ldap-auth. Consider auditing your dependency tree for this package and removing or replacing it if found. Monitor official sources for updates or patches addressing this malicious package.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6528
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef79627e9c79719ff9a69
Added to database: 06/26/2026, 22:05:10 UTC
Last enriched: 06/26/2026, 22:20:09 UTC
Last updated: 06/26/2026, 22:20:09 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.