MAL-2026-6526
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@immobiliarelabs/backstage-plugin-gitlab/MAL-2026-6526.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6526
- Published
- 2026-06-26T15:42:00Z
- Modified
- 2026-06-26T16:01:40.488941495Z
- Summary
- Malicious code in @immobiliarelabs/backstage-plugin-gitlab (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (00eb86df154a9532085ad285ee63cd4c4f9a95a6fe983b9930cd059dfb4cb3f5)
The package ships a binding.gyp at the package root whose targets/sources fields contain GYP command-expansion syntax (npm install of this package as a transitive or direct dependency. The package presents itself as a Backstage GitLab plugin (a pure TypeScript/React frontend plugin), a category that has no legitimate need to build a native addon — and consistent with that, no C/C++ source files are shipped alongside binding.gyp, so the file's only effect is to run the embedded shell command at install time. The traced content of this install-time code path was withheld by the upstream model's malware-output safety filter, which is itself a corroborating signal that the executed content reads as operational malware rather than benign build logic.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "5.2.1" ], "modified_time": "2026-06-26T15:42:16Z", "sha256": "00eb86df154a9532085ad285ee63cd4c4f9a95a6fe983b9930cd059dfb4cb3f5", "id": "IN-MAL-2026-007624", "source": "amazon-inspector", "import_time": "2026-06-26T15:52:37.311762337Z" }, { "versions": [ "6.13.1" ], "modified_time": "2026-06-26T15:42:15Z", "sha256": "1f15945dc37e8e88a581ff3869d6f2c2efa39eddcbbc5d61b82aa05ff10c0e28", "id": "IN-MAL-2026-007623", "source": "amazon-inspector", "import_time": "2026-06-26T15:52:37.233345942Z" }, { "versions": [ "3.0.3" ], "modified_time": "2026-06-26T15:42:04Z", "sha256": "3156ada55f6dcb5e429a184f246f6e60bb77a31c84231961e0803e76cafced0b", "id": "IN-MAL-2026-007612", "source": "amazon-inspector", "import_time": "2026-06-26T15:52:36.652336644Z" }, { "versions": [ "7.0.2" ], "modified_time": "2026-06-26T15:42:14Z", "sha256": "85667e8ad429ae8bd36193c38af3b567789bdefb047aee9669fa9bd201bfcfc9", "id": "IN-MAL-2026-007622", "source": "amazon-inspector", "import_time": "2026-06-26T15:52:37.189644709Z" }, { "versions": [ "2.1.2" ], "modified_time": "2026-06-26T15:42:03Z", "sha256": "8dcf811afd941947d8357bb6aa5c85d523861abd115900b5f151a0806f9da3e1", "id": "IN-MAL-2026-007610", "source": "amazon-inspector", "import_time": "2026-06-26T15:52:36.509035183Z" }, { "versions": [ "4.0.2" ], "modified_time": "2026-06-26T15:42:00Z", "sha256": "bd3ae7900c4da339c927696cbb58db4c1d920641adfea39ddf98f355eb2188ca", "id": "IN-MAL-2026-007609", "source": "amazon-inspector", "import_time": "2026-06-26T15:52:36.441997724Z" }, { "versions": [ "1.0.1" ], "modified_time": "2026-06-26T15:42:16Z", "sha256": "ddefa4518a49e0dfd8d005fb64a893a86029a2f836c7b9d60813e1710f2d6141", "id": "IN-MAL-2026-007625", "source": "amazon-inspector", "import_time": "2026-06-26T15:52:37.396670367Z" } ] }- References
-
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab/v/5.2.1
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab/v/6.13.1
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab/v/3.0.3
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab/v/7.0.2
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab/v/2.1.2
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab/v/4.0.2
- https://www.npmjs.com/package/@immobiliarelabs/backstage-plugin-gitlab/v/1.0.1
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @immobiliarelabs/backstage-plugin-gitlab
Package
- Name
- @immobiliarelabs/backstage-plugin-gitlab
- View open source insights on deps.dev
- Purl
- pkg:npm/%40immobiliarelabs%2Fbackstage-plugin-gitlab
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"filename": "backstage-plugin-gitlab-5.2.1.tgz",
"hashes": {
"sha512_sri": "sha512-C+5YJE6vS9nUqVzr2ksTEZvspRFwrJYIQYhsuLq5oEs8FvyCO7rLVDRRp28vuxJFmbFyNHR1LqRRX6ogydpfSA==",
"sha1": "a36134e065b6317977cefdd689e4f618634d4919"
}
}
],
"evidence_files": [
{
"path": "binding.gyp",
"tlsh": "3ac08c3ca9380c1029dd18584128d802a4a141a3484e2a81facd60388fa800b68acbae",
"sha256": "ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@immobiliarelabs/backstage-plugin-gitlab/MAL-2026-6526.json"