I already installed @immobiliarelabs/backstage-plugin-gitlab-backend — how do I know if it already compromised me?

If @immobiliarelabs/backstage-plugin-gitlab-backend was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @immobiliarelabs/backstage-plugin-gitlab-backend part of a known attack campaign?

Yes — @immobiliarelabs/backstage-plugin-gitlab-backend is associated with the IN-MAL-2026-007629, IN-MAL-2026-007628, IN-MAL-2026-007627, IN-MAL-2026-007630, IN-MAL-2026-007626 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @immobiliarelabs/backstage-plugin-gitlab-backend across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @immobiliarelabs/backstage-plugin-gitlab-backend (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @immobiliarelabs/backstage-plugin-gitlab-backend across your stack and pipelines.

Malicious package

@immobiliarelabs/backstage-plugin-gitlab-backendnpm

Malicious code in @immobiliarelabs/backstage-plugin-gitlab-backend (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6527

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @immobiliarelabs/backstage-plugin-gitlab-backend

What this malware does

The package ships a binding.gyp at the package root whose contents use GYP command-expansion syntax (<!(...)) inside its targets/sources fields. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present — even with no declared install/postinstall script — and GYP evaluates <!(...) as a shell command during the configure step. The result is that npm install @immobiliarelabs/[email protected] causes an embedded shell command to execute on the installer machine without any explicit lifecycle hook. The package presents itself as a Backstage backend plugin (pure TypeScript/JavaScript), which has no legitimate need to ship a native-addon build descriptor; the binding.gyp's purpose is to run the embedded command at install time. the analysis of this artifact tripped the provider's malware-output safety filter, which corroborates the malicious shape of the contents. Treat as install-time remote code execution: the harmful path is automatic on a default npm install.

Malicious versions

5 flagged

3.0.34.0.25.2.16.13.17.0.2

Indicators of compromise (SHA-256)

096fc86987f4a25a5fb6572968e0c7309d71ed3e6ab16c239427de98c7d30ae7

bd391194516a2446c71eb338fd1f072d8fa9f271541a1444d2b744bda4e17f6b

746900059ab269f17ea3ddbaec4bd970351a4aebf3d9fe39a1abf6d6a0c4e1b0

b76bfd2d462dd636f50ea252e3302cbc709493e28d15bcc6ed7fb78596ffa5d4

bc110d148a9d2fc837102bd10f2c465850d7134796fb23d718de1a9cc05221cf

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @immobiliarelabs/backstage-plugin-gitlab-backend (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @immobiliarelabs/backstage-plugin-gitlab-backend across your stack and pipelines.
If you installed it — respond
Remove @immobiliarelabs/backstage-plugin-gitlab-backend from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If @immobiliarelabs/backstage-plugin-gitlab-backend was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @immobiliarelabs/backstage-plugin-gitlab-backend before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @immobiliarelabs/backstage-plugin-gitlab-backend on npm has been identified as a malicious package (versions 3.0.3, 4.0.2, 5.2.1, 6.13.1, 7.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007629IN-MAL-2026-007628IN-MAL-2026-007627IN-MAL-2026-007630IN-MAL-2026-007626

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @immobiliarelabs/backstage-plugin-gitlab-backend-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring