MAL-2026-6528

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@immobiliarelabs/backstage-plugin-ldap-auth/MAL-2026-6528.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6528

Published

2026-06-26T15:42:04Z

Modified

2026-06-26T16:01:40.637738300Z

Summary

Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e447b204a3dbe39ad2390ad721dfc14f32b64e2c27d8b4efaf99a27e9cde7b92)

The package ships a binding.gyp at the tarball root that contains GYP command-expansion syntax (npm install, equivalent to a postinstall lifecycle hook. The package presents itself as an LDAP auth plugin for Backstage, a pure-JavaScript role for which a native addon (and thus a binding.gyp performing shell expansion) is not warranted. The traced content additionally tripped the model safety filter on output, corroborating the malicious shape of the embedded command. Installer impact: arbitrary code execution under the user running npm install, before any application code is invoked.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.0.2"
            ],
            "modified_time": "2026-06-26T15:42:11Z",
            "sha256": "422e755562c4322c7295be83418b514151ccd1f462b740a0a7e11f08ee367b6e",
            "id": "IN-MAL-2026-007619",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:37.068478296Z"
        },
        {
            "versions": [
                "2.0.5"
            ],
            "modified_time": "2026-06-26T15:42:07Z",
            "sha256": "fb42e335393a886f5f81ac29a53b4ec03413cd71d03ee53d5995c7bdf35d736e",
            "id": "IN-MAL-2026-007615",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:36.886485597Z"
        },
        {
            "versions": [
                "4.3.2"
            ],
            "modified_time": "2026-06-26T15:42:05Z",
            "sha256": "7bff233d82e0c3c3759696b5edfe632a34c82110b946995777e621ce8fa2a7fa",
            "id": "IN-MAL-2026-007613",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:36.774007387Z"
        },
        {
            "versions": [
                "5.2.1"
            ],
            "modified_time": "2026-06-26T15:42:04Z",
            "sha256": "a2d36181dd8e6e0d084445db016b1df3dafdf75a0efc9c8deeace0b61e74df4e",
            "id": "IN-MAL-2026-007611",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:36.601456241Z"
        },
        {
            "versions": [
                "1.1.4"
            ],
            "modified_time": "2026-06-26T15:42:09Z",
            "sha256": "e447b204a3dbe39ad2390ad721dfc14f32b64e2c27d8b4efaf99a27e9cde7b92",
            "id": "IN-MAL-2026-007617",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:36.965719132Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @immobiliarelabs/backstage-plugin-ldap-auth

Package

Name: @immobiliarelabs/backstage-plugin-ldap-auth; View open source insights on deps.dev
Purl: pkg:npm/%40immobiliarelabs%2Fbackstage-plugin-ldap-auth

Affected ranges

Affected versions

1.*

1.1.4

2.*

2.0.5

3.*

3.0.2

4.*

4.3.2

5.*

5.2.1

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-HvF16SCQV+7ixF9K+FTD/SYkRONohVeC/wG3HaRuDtoT/8/mpOt4x+LiHE8s1hIeqUBNwiCCQuz7LyZMPXfgRw==",
                "sha1": "5b03aec413b8cdb5816ceefe01b6d5d567ea1265"
            },
            "filename": "backstage-plugin-ldap-auth-3.0.2.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "binding.gyp",
            "tlsh": "3ac08c3ca9380c1029dd18584128d802a4a141a3484e2a81facd60388fa800b68acbae",
            "sha256": "ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@immobiliarelabs/backstage-plugin-ldap-auth/MAL-2026-6528.json"