{"id":"MAL-2026-6529","summary":"Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth-backend (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (dbe41ed7d4257171c43c1047d7fde036575b57305b26d18cec61d1f1a20d33b1)\nThe package ships a binding.gyp at the package root containing GYP command-expansion syntax (`\u003c!(...)`) in its sources/targets configuration (binding.gyp line 6). npm implicitly runs `node-gyp rebuild` whenever a binding.gyp is present — even with no declared install/postinstall script — and node-gyp evaluates `\u003c!(...)` as a shell command during the configure step. This causes the embedded command to execute on the installing developer's or build system's machine on a default `npm install`, functionally equivalent to a malicious lifecycle hook. The package presents itself as a Backstage LDAP auth backend plugin, which has no legitimate need for a native build step or shell expansion in its build configuration. Stage-1 contextual tracing of the package contents was withheld by the model provider's safety filter, which engages specifically on content that reads as operational malware — a corroborating signal alongside the binding.gyp command-expansion finding.\n","modified":"2026-06-26T16:01:40.541368905Z","published":"2026-06-26T15:42:07Z","database_specific":{"malicious-packages-origins":[{"versions":["3.0.2"],"sha256":"1980815b57c4a9a14ac0a08e77bed0ed2b854ff3c847b3195b3450a9604020fb","import_time":"2026-06-26T15:52:36.856888162Z","modified_time":"2026-06-26T15:42:07Z","id":"IN-MAL-2026-007614","source":"amazon-inspector"},{"sha256":"1e2e6177fb3a431ca0d0affda0d8c7ce2831145fb704941c97a11496ba24ba69","import_time":"2026-06-26T15:52:37.158907541Z","versions":["2.0.5"],"modified_time":"2026-06-26T15:42:13Z","id":"IN-MAL-2026-007621","source":"amazon-inspector"},{"sha256":"44186ac52e4c08636a02b1a9972646bec0f0348fa5c6b443dccc300da7eeaa26","import_time":"2026-06-26T15:52:36.931727923Z","versions":["1.1.3"],"modified_time":"2026-06-26T15:42:08Z","id":"IN-MAL-2026-007616","source":"amazon-inspector"},{"sha256":"c343f70bf2cdc9fcada05b6159436a2b1c5b4b764822fdee9f8ef1639ce4fc75","import_time":"2026-06-26T15:52:37.017494002Z","versions":["5.2.1"],"modified_time":"2026-06-26T15:42:10Z","id":"IN-MAL-2026-007618","source":"amazon-inspector"},{"sha256":"dbe41ed7d4257171c43c1047d7fde036575b57305b26d18cec61d1f1a20d33b1","import_time":"2026-06-26T15:52:37.102836566Z","versions":["4.3.2"],"modified_time":"2026-06-26T15:42:12Z","id":"IN-MAL-2026-007620","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth-backend/v/3.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth-backend/v/2.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth-backend/v/1.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth-backend/v/5.2.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-ldap-auth-backend/v/4.3.2"}],"affected":[{"package":{"name":"@immobiliarelabs/backstage-plugin-ldap-auth-backend","ecosystem":"npm","purl":"pkg:npm/%40immobiliarelabs%2Fbackstage-plugin-ldap-auth-backend"},"versions":["3.0.2","2.0.5","1.1.3","5.2.1","4.3.2"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@immobiliarelabs/backstage-plugin-ldap-auth-backend/MAL-2026-6529.json","indicators":{"package_integrity":[{"filename":"backstage-plugin-ldap-auth-backend-3.0.2.tgz","hashes":{"sha512_sri":"sha512-L/P7y/QUZjRlGCPeSoXGM5XlGsbLr+118Q6hGqfJVtLkU+YHSH6jnG4Es3NAD1lB6UASKTO1iUaX+ymxZXR5uA==","sha1":"4bfc39e5187c2337d76a6999fa085e4332e7ae8b"}}],"evidence_files":[{"tlsh":"3ac08c3ca9380c1029dd18584128d802a4a141a3484e2a81facd60388fa800b68acbae","path":"binding.gyp","sha256":"ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}