MAL-2026-6527

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@immobiliarelabs/backstage-plugin-gitlab-backend/MAL-2026-6527.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6527

Published

2026-06-26T15:42:17Z

Modified

2026-06-26T16:01:40.458585641Z

Summary

Malicious code in @immobiliarelabs/backstage-plugin-gitlab-backend (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (096fc86987f4a25a5fb6572968e0c7309d71ed3e6ab16c239427de98c7d30ae7)

The package ships a binding.gyp at the package root whose contents use GYP command-expansion syntax (<!(...)) inside its targets/sources fields. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present — even with no declared install/postinstall script — and GYP evaluates <!(...) as a shell command during the configure step. The result is that npm install @immobiliarelabs/backstage-plugin-gitlab-backend@6.13.1 causes an embedded shell command to execute on the installer machine without any explicit lifecycle hook. The package presents itself as a Backstage backend plugin (pure TypeScript/JavaScript), which has no legitimate need to ship a native-addon build descriptor; the binding.gyp's purpose is to run the embedded command at install time. the analysis of this artifact tripped the provider's malware-output safety filter, which corroborates the malicious shape of the contents. Treat as install-time remote code execution: the harmful path is automatic on a default npm install.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "6.13.1"
            ],
            "modified_time": "2026-06-26T15:42:19Z",
            "sha256": "096fc86987f4a25a5fb6572968e0c7309d71ed3e6ab16c239427de98c7d30ae7",
            "id": "IN-MAL-2026-007629",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:37.639550474Z"
        },
        {
            "versions": [
                "5.2.1"
            ],
            "modified_time": "2026-06-26T15:42:18Z",
            "sha256": "bd391194516a2446c71eb338fd1f072d8fa9f271541a1444d2b744bda4e17f6b",
            "id": "IN-MAL-2026-007628",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:37.598461054Z"
        },
        {
            "versions": [
                "4.0.2"
            ],
            "modified_time": "2026-06-26T15:42:18Z",
            "sha256": "746900059ab269f17ea3ddbaec4bd970351a4aebf3d9fe39a1abf6d6a0c4e1b0",
            "id": "IN-MAL-2026-007627",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:37.505571173Z"
        },
        {
            "versions": [
                "3.0.3"
            ],
            "modified_time": "2026-06-26T15:42:20Z",
            "sha256": "b76bfd2d462dd636f50ea252e3302cbc709493e28d15bcc6ed7fb78596ffa5d4",
            "id": "IN-MAL-2026-007630",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:37.694903013Z"
        },
        {
            "versions": [
                "7.0.2"
            ],
            "modified_time": "2026-06-26T15:42:17Z",
            "sha256": "bc110d148a9d2fc837102bd10f2c465850d7134796fb23d718de1a9cc05221cf",
            "id": "IN-MAL-2026-007626",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:37.452454014Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @immobiliarelabs/backstage-plugin-gitlab-backend

Package

Name: @immobiliarelabs/backstage-plugin-gitlab-backend; View open source insights on deps.dev
Purl: pkg:npm/%40immobiliarelabs%2Fbackstage-plugin-gitlab-backend

Affected ranges

Affected versions

3.*

3.0.3

4.*

4.0.2

5.*

5.2.1

6.*

6.13.1

7.*

7.0.2

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "backstage-plugin-gitlab-backend-6.13.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-YpqnLrsK4DRSLyswlqtWNlpl2tRDU206xB3J01BaLRhogtmDRFWYbFvMPuwY+K7TPswu4F5JUaiZ/W/qpAteAA==",
                "sha1": "a28eb85ec7d79c7dbb4200e3b79043b2e001a77a"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "binding.gyp",
            "tlsh": "3ac08c3ca9380c1029dd18584128d802a4a141a3484e2a81facd60388fa800b68acbae",
            "sha256": "ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@immobiliarelabs/backstage-plugin-gitlab-backend/MAL-2026-6527.json"