The @immobiliarelabs/backstage-plugin-ldap-auth-backend npm package includes a binding.gyp file at its root that contains GYP command-expansion syntax (`<!(...)`) in its sources/targets configuration. npm automatically invokes `node-gyp rebuild` when a binding.gyp file is detected, even without explicit install scripts. During this process, node-gyp executes the embedded shell command within the command-expansion syntax, resulting in arbitrary code execution on the machine performing the npm install. This behavior is equivalent to a malicious lifecycle hook. The package falsely presents as a Backstage LDAP auth backend plugin, which should not require native build steps or shell command execution, indicating malicious intent. The model provider's safety filter withheld further contextual tracing due to operational malware content, reinforcing the malicious nature of this package.

Installing the affected versions of this package results in arbitrary shell command execution on the installing developer's or build system's machine. This can lead to compromise of the build environment, unauthorized code execution, data theft, or further malware installation. The malicious code executes silently during a standard npm install, making it a significant supply chain risk.

No official patch or remediation is currently documented for this package. Users should avoid installing the affected versions (=1.1.3, =2.0.5, =3.0.2, =4.3.2, =5.2.1) of @immobiliarelabs/backstage-plugin-ldap-auth-backend. Consider removing this package from your dependencies and replacing it with a trusted alternative. Monitor for updates from the package maintainer or npm advisories for any official fixes or removals. Until then, do not run npm install on this package in any environment.