{"id":"MAL-2026-6528","summary":"Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e447b204a3dbe39ad2390ad721dfc14f32b64e2c27d8b4efaf99a27e9cde7b92)\nThe package ships a binding.gyp at the tarball root that contains GYP command-expansion syntax (\u003c!(...) / \u003c!@(...)) in its sources/targets configuration (binding.gyp line 6). npm implicitly invokes node-gyp rebuild whenever a binding.gyp is present — even with no declared install/postinstall script — and node-gyp evaluates \u003c!(...) as a shell command during the configure step. This causes attacker-controlled shell to execute on the installer's machine on a default `npm install`, equivalent to a postinstall lifecycle hook. The package presents itself as an LDAP auth plugin for Backstage, a pure-JavaScript role for which a native addon (and thus a binding.gyp performing shell expansion) is not warranted. The traced content additionally tripped the model safety filter on output, corroborating the malicious shape of the embedded command. Installer impact: arbitrary code execution under the user running `npm install`, before any application code is invoked.\n","modified":"2026-06-26T16:01:40.637738300Z","published":"2026-06-26T15:42:04Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["3.0.2"],"sha256":"422e755562c4322c7295be83418b514151ccd1f462b740a0a7e11f08ee367b6e","import_time":"2026-06-26T15:52:37.068478296Z","modified_time":"2026-06-26T15:42:11Z","id":"IN-MAL-2026-007619"},{"modified_time":"2026-06-26T15:42:07Z","versions":["2.0.5"],"import_time":"2026-06-26T15:52:36.886485597Z","sha256":"fb42e335393a886f5f81ac29a53b4ec03413cd71d03ee53d5995c7bdf35d736e","source":"amazon-inspector","id":"IN-MAL-2026-007615"},{"source":"amazon-inspector","versions":["4.3.2"],"sha256":"7bff233d82e0c3c3759696b5edfe632a34c82110b946995777e621ce8fa2a7fa","import_time":"2026-06-26T15:52:36.774007387Z","modified_time":"2026-06-26T15:42:05Z","id":"IN-MAL-2026-007613"},{"source":"amazon-inspector","versions":["5.2.1"],"sha256":"a2d36181dd8e6e0d084445db016b1df3dafdf75a0efc9c8deeace0b61e74df4e","import_time":"2026-06-26T15:52:36.601456241Z","modified_time":"2026-06-26T15:42:04Z","id":"IN-MAL-2026-007611"},{"source":"amazon-inspector","versions":["1.1.4"],"sha256":"e447b204a3dbe39ad2390ad721dfc14f32b64e2c27d8b4efaf99a27e9cde7b92","import_time":"2026-06-26T15:52:36.965719132Z","modified_time":"2026-06-26T15:42:09Z","id":"IN-MAL-2026-007617"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth/v/3.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth/v/2.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth/v/4.3.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth/v/5.2.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth/v/1.1.4"}],"affected":[{"package":{"name":"@immobiliarelabs/backstage-plugin-ldap-auth","ecosystem":"npm","purl":"pkg:npm/%40immobiliarelabs%2Fbackstage-plugin-ldap-auth"},"versions":["3.0.2","2.0.5","4.3.2","5.2.1","1.1.4"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"3ac08c3ca9380c1029dd18584128d802a4a141a3484e2a81facd60388fa800b68acbae","sha256":"ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90","path":"binding.gyp"}],"package_integrity":[{"filename":"backstage-plugin-ldap-auth-3.0.2.tgz","hashes":{"sha512_sri":"sha512-HvF16SCQV+7ixF9K+FTD/SYkRONohVeC/wG3HaRuDtoT/8/mpOt4x+LiHE8s1hIeqUBNwiCCQuz7LyZMPXfgRw==","sha1":"5b03aec413b8cdb5816ceefe01b6d5d567ea1265"}}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@immobiliarelabs/backstage-plugin-ldap-auth/MAL-2026-6528.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}