MAL-2026-6529

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@immobiliarelabs/backstage-plugin-ldap-auth-backend/MAL-2026-6529.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6529

Published

2026-06-26T15:42:07Z

Modified

2026-06-26T16:01:40.541368905Z

Summary

Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth-backend (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (dbe41ed7d4257171c43c1047d7fde036575b57305b26d18cec61d1f1a20d33b1)

The package ships a binding.gyp at the package root containing GYP command-expansion syntax (<!(...)) in its sources/targets configuration (binding.gyp line 6). npm implicitly runs node-gyp rebuild whenever a binding.gyp is present — even with no declared install/postinstall script — and node-gyp evaluates <!(...) as a shell command during the configure step. This causes the embedded command to execute on the installing developer's or build system's machine on a default npm install, functionally equivalent to a malicious lifecycle hook. The package presents itself as a Backstage LDAP auth backend plugin, which has no legitimate need for a native build step or shell expansion in its build configuration. Stage-1 contextual tracing of the package contents was withheld by the model provider's safety filter, which engages specifically on content that reads as operational malware — a corroborating signal alongside the binding.gyp command-expansion finding.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.0.2"
            ],
            "modified_time": "2026-06-26T15:42:07Z",
            "sha256": "1980815b57c4a9a14ac0a08e77bed0ed2b854ff3c847b3195b3450a9604020fb",
            "id": "IN-MAL-2026-007614",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:36.856888162Z"
        },
        {
            "versions": [
                "2.0.5"
            ],
            "modified_time": "2026-06-26T15:42:13Z",
            "sha256": "1e2e6177fb3a431ca0d0affda0d8c7ce2831145fb704941c97a11496ba24ba69",
            "id": "IN-MAL-2026-007621",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:37.158907541Z"
        },
        {
            "versions": [
                "1.1.3"
            ],
            "modified_time": "2026-06-26T15:42:08Z",
            "sha256": "44186ac52e4c08636a02b1a9972646bec0f0348fa5c6b443dccc300da7eeaa26",
            "id": "IN-MAL-2026-007616",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:36.931727923Z"
        },
        {
            "versions": [
                "5.2.1"
            ],
            "modified_time": "2026-06-26T15:42:10Z",
            "sha256": "c343f70bf2cdc9fcada05b6159436a2b1c5b4b764822fdee9f8ef1639ce4fc75",
            "id": "IN-MAL-2026-007618",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:37.017494002Z"
        },
        {
            "versions": [
                "4.3.2"
            ],
            "modified_time": "2026-06-26T15:42:12Z",
            "sha256": "dbe41ed7d4257171c43c1047d7fde036575b57305b26d18cec61d1f1a20d33b1",
            "id": "IN-MAL-2026-007620",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T15:52:37.102836566Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @immobiliarelabs/backstage-plugin-ldap-auth-backend

Package

Name: @immobiliarelabs/backstage-plugin-ldap-auth-backend; View open source insights on deps.dev
Purl: pkg:npm/%40immobiliarelabs%2Fbackstage-plugin-ldap-auth-backend

Affected ranges

Affected versions

1.*

1.1.3

2.*

2.0.5

3.*

3.0.2

4.*

4.3.2

5.*

5.2.1

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "backstage-plugin-ldap-auth-backend-3.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-L/P7y/QUZjRlGCPeSoXGM5XlGsbLr+118Q6hGqfJVtLkU+YHSH6jnG4Es3NAD1lB6UASKTO1iUaX+ymxZXR5uA==",
                "sha1": "4bfc39e5187c2337d76a6999fa085e4332e7ae8b"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "binding.gyp",
            "tlsh": "3ac08c3ca9380c1029dd18584128d802a4a141a3484e2a81facd60388fa800b68acbae",
            "sha256": "ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@immobiliarelabs/backstage-plugin-ldap-auth-backend/MAL-2026-6529.json"