{"id":"MAL-2026-6527","summary":"Malicious code in @immobiliarelabs/backstage-plugin-gitlab-backend (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (096fc86987f4a25a5fb6572968e0c7309d71ed3e6ab16c239427de98c7d30ae7)\nThe package ships a binding.gyp at the package root whose contents use GYP command-expansion syntax (`\u003c!(...)`) inside its targets/sources fields. npm implicitly runs `node-gyp rebuild` whenever a binding.gyp is present — even with no declared install/postinstall script — and GYP evaluates `\u003c!(...)` as a shell command during the configure step. The result is that `npm install @immobiliarelabs/backstage-plugin-gitlab-backend@6.13.1` causes an embedded shell command to execute on the installer machine without any explicit lifecycle hook. The package presents itself as a Backstage backend plugin (pure TypeScript/JavaScript), which has no legitimate need to ship a native-addon build descriptor; the binding.gyp's purpose is to run the embedded command at install time. the analysis of this artifact tripped the provider's malware-output safety filter, which corroborates the malicious shape of the contents. Treat as install-time remote code execution: the harmful path is automatic on a default `npm install`.\n","modified":"2026-06-26T16:01:40.458585641Z","published":"2026-06-26T15:42:17Z","database_specific":{"malicious-packages-origins":[{"versions":["6.13.1"],"sha256":"096fc86987f4a25a5fb6572968e0c7309d71ed3e6ab16c239427de98c7d30ae7","import_time":"2026-06-26T15:52:37.639550474Z","modified_time":"2026-06-26T15:42:19Z","source":"amazon-inspector","id":"IN-MAL-2026-007629"},{"import_time":"2026-06-26T15:52:37.598461054Z","sha256":"bd391194516a2446c71eb338fd1f072d8fa9f271541a1444d2b744bda4e17f6b","versions":["5.2.1"],"modified_time":"2026-06-26T15:42:18Z","source":"amazon-inspector","id":"IN-MAL-2026-007628"},{"versions":["4.0.2"],"sha256":"746900059ab269f17ea3ddbaec4bd970351a4aebf3d9fe39a1abf6d6a0c4e1b0","import_time":"2026-06-26T15:52:37.505571173Z","modified_time":"2026-06-26T15:42:18Z","source":"amazon-inspector","id":"IN-MAL-2026-007627"},{"import_time":"2026-06-26T15:52:37.694903013Z","sha256":"b76bfd2d462dd636f50ea252e3302cbc709493e28d15bcc6ed7fb78596ffa5d4","versions":["3.0.3"],"modified_time":"2026-06-26T15:42:20Z","source":"amazon-inspector","id":"IN-MAL-2026-007630"},{"id":"IN-MAL-2026-007626","sha256":"bc110d148a9d2fc837102bd10f2c465850d7134796fb23d718de1a9cc05221cf","versions":["7.0.2"],"modified_time":"2026-06-26T15:42:17Z","source":"amazon-inspector","import_time":"2026-06-26T15:52:37.452454014Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab-backend/v/6.13.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab-backend/v/5.2.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab-backend/v/4.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab-backend/v/3.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab-backend/v/7.0.2"}],"affected":[{"package":{"name":"@immobiliarelabs/backstage-plugin-gitlab-backend","ecosystem":"npm","purl":"pkg:npm/%40immobiliarelabs%2Fbackstage-plugin-gitlab-backend"},"versions":["6.13.1","5.2.1","4.0.2","3.0.3","7.0.2"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"3ac08c3ca9380c1029dd18584128d802a4a141a3484e2a81facd60388fa800b68acbae","sha256":"ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90","path":"binding.gyp"}],"package_integrity":[{"filename":"backstage-plugin-gitlab-backend-6.13.1.tgz","hashes":{"sha1":"a28eb85ec7d79c7dbb4200e3b79043b2e001a77a","sha512_sri":"sha512-YpqnLrsK4DRSLyswlqtWNlpl2tRDU206xB3J01BaLRhogtmDRFWYbFvMPuwY+K7TPswu4F5JUaiZ/W/qpAteAA=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@immobiliarelabs/backstage-plugin-gitlab-backend/MAL-2026-6527.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}