{"id":"MAL-2026-6526","summary":"Malicious code in @immobiliarelabs/backstage-plugin-gitlab (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (00eb86df154a9532085ad285ee63cd4c4f9a95a6fe983b9930cd059dfb4cb3f5)\nThe package ships a binding.gyp at the package root whose targets/sources fields contain GYP command-expansion syntax (\u003c!(...)) at line 6. npm implicitly invokes node-gyp rebuild whenever a binding.gyp is present, even without any declared install/postinstall script, and node-gyp/GYP evaluates \u003c!(...) as a shell command during the configure step. This causes the embedded command to execute on every `npm install` of this package as a transitive or direct dependency. The package presents itself as a Backstage GitLab plugin (a pure TypeScript/React frontend plugin), a category that has no legitimate need to build a native addon — and consistent with that, no C/C++ source files are shipped alongside binding.gyp, so the file's only effect is to run the embedded shell command at install time. The traced content of this install-time code path was withheld by the upstream model's malware-output safety filter, which is itself a corroborating signal that the executed content reads as operational malware rather than benign build logic.\n","modified":"2026-06-26T16:01:40.488941495Z","published":"2026-06-26T15:42:00Z","database_specific":{"malicious-packages-origins":[{"versions":["5.2.1"],"sha256":"00eb86df154a9532085ad285ee63cd4c4f9a95a6fe983b9930cd059dfb4cb3f5","import_time":"2026-06-26T15:52:37.311762337Z","modified_time":"2026-06-26T15:42:16Z","source":"amazon-inspector","id":"IN-MAL-2026-007624"},{"versions":["6.13.1"],"sha256":"1f15945dc37e8e88a581ff3869d6f2c2efa39eddcbbc5d61b82aa05ff10c0e28","import_time":"2026-06-26T15:52:37.233345942Z","modified_time":"2026-06-26T15:42:15Z","source":"amazon-inspector","id":"IN-MAL-2026-007623"},{"versions":["3.0.3"],"sha256":"3156ada55f6dcb5e429a184f246f6e60bb77a31c84231961e0803e76cafced0b","import_time":"2026-06-26T15:52:36.652336644Z","modified_time":"2026-06-26T15:42:04Z","source":"amazon-inspector","id":"IN-MAL-2026-007612"},{"versions":["7.0.2"],"sha256":"85667e8ad429ae8bd36193c38af3b567789bdefb047aee9669fa9bd201bfcfc9","import_time":"2026-06-26T15:52:37.189644709Z","modified_time":"2026-06-26T15:42:14Z","source":"amazon-inspector","id":"IN-MAL-2026-007622"},{"versions":["2.1.2"],"sha256":"8dcf811afd941947d8357bb6aa5c85d523861abd115900b5f151a0806f9da3e1","import_time":"2026-06-26T15:52:36.509035183Z","modified_time":"2026-06-26T15:42:03Z","source":"amazon-inspector","id":"IN-MAL-2026-007610"},{"versions":["4.0.2"],"sha256":"bd3ae7900c4da339c927696cbb58db4c1d920641adfea39ddf98f355eb2188ca","import_time":"2026-06-26T15:52:36.441997724Z","modified_time":"2026-06-26T15:42:00Z","source":"amazon-inspector","id":"IN-MAL-2026-007609"},{"versions":["1.0.1"],"sha256":"ddefa4518a49e0dfd8d005fb64a893a86029a2f836c7b9d60813e1710f2d6141","import_time":"2026-06-26T15:52:37.396670367Z","modified_time":"2026-06-26T15:42:16Z","source":"amazon-inspector","id":"IN-MAL-2026-007625"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab/v/5.2.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab/v/6.13.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab/v/3.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab/v/7.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab/v/2.1.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab/v/4.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab/v/1.0.1"}],"affected":[{"package":{"name":"@immobiliarelabs/backstage-plugin-gitlab","ecosystem":"npm","purl":"pkg:npm/%40immobiliarelabs%2Fbackstage-plugin-gitlab"},"versions":["5.2.1","6.13.1","3.0.3","7.0.2","2.1.2","4.0.2","1.0.1"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"3ac08c3ca9380c1029dd18584128d802a4a141a3484e2a81facd60388fa800b68acbae","sha256":"ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90","path":"binding.gyp"}],"package_integrity":[{"filename":"backstage-plugin-gitlab-5.2.1.tgz","hashes":{"sha1":"a36134e065b6317977cefdd689e4f618634d4919","sha512_sri":"sha512-C+5YJE6vS9nUqVzr2ksTEZvspRFwrJYIQYhsuLq5oEs8FvyCO7rLVDRRp28vuxJFmbFyNHR1LqRRX6ogydpfSA=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@immobiliarelabs/backstage-plugin-gitlab/MAL-2026-6526.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}