Which versions of @immobiliarelabs/backstage-plugin-ldap-auth are malicious?

The following npm versions of @immobiliarelabs/backstage-plugin-ldap-auth are flagged malicious: 1.1.4, 2.0.5, 3.0.2, 4.3.2, 5.2.1. Treat any of these as compromised.

How do I remediate @immobiliarelabs/backstage-plugin-ldap-auth if I installed it?

Remove @immobiliarelabs/backstage-plugin-ldap-auth from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed @immobiliarelabs/backstage-plugin-ldap-auth — how do I know if it already compromised me?

If @immobiliarelabs/backstage-plugin-ldap-auth was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @immobiliarelabs/backstage-plugin-ldap-auth part of a known attack campaign?

Yes — @immobiliarelabs/backstage-plugin-ldap-auth is associated with the IN-MAL-2026-007619, IN-MAL-2026-007615, IN-MAL-2026-007613, IN-MAL-2026-007611, IN-MAL-2026-007617 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @immobiliarelabs/backstage-plugin-ldap-auth across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @immobiliarelabs/backstage-plugin-ldap-auth (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @immobiliarelabs/backstage-plugin-ldap-auth across your stack and pipelines.

Malicious package

@immobiliarelabs/backstage-plugin-ldap-authnpm

Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6528

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @immobiliarelabs/backstage-plugin-ldap-auth

What this malware does

The package ships a binding.gyp at the tarball root that contains GYP command-expansion syntax (<!(...) / <!@(...)) in its sources/targets configuration (binding.gyp line 6). npm implicitly invokes node-gyp rebuild whenever a binding.gyp is present — even with no declared install/postinstall script — and node-gyp evaluates <!(...) as a shell command during the configure step. This causes attacker-controlled shell to execute on the installer's machine on a default npm install, equivalent to a postinstall lifecycle hook. The package presents itself as an LDAP auth plugin for Backstage, a pure-JavaScript role for which a native addon (and thus a binding.gyp performing shell expansion) is not warranted. The traced content additionally tripped the model safety filter on output, corroborating the malicious shape of the embedded command. Installer impact: arbitrary code execution under the user running npm install, before any application code is invoked.

Malicious versions

5 flagged

1.1.42.0.53.0.24.3.25.2.1

Indicators of compromise (SHA-256)

422e755562c4322c7295be83418b514151ccd1f462b740a0a7e11f08ee367b6e

fb42e335393a886f5f81ac29a53b4ec03413cd71d03ee53d5995c7bdf35d736e

7bff233d82e0c3c3759696b5edfe632a34c82110b946995777e621ce8fa2a7fa

a2d36181dd8e6e0d084445db016b1df3dafdf75a0efc9c8deeace0b61e74df4e

e447b204a3dbe39ad2390ad721dfc14f32b64e2c27d8b4efaf99a27e9cde7b92

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @immobiliarelabs/backstage-plugin-ldap-auth (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @immobiliarelabs/backstage-plugin-ldap-auth across your stack and pipelines.
If you installed it — respond
Remove @immobiliarelabs/backstage-plugin-ldap-auth from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If @immobiliarelabs/backstage-plugin-ldap-auth was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @immobiliarelabs/backstage-plugin-ldap-auth before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @immobiliarelabs/backstage-plugin-ldap-auth on npm has been identified as a malicious package (versions 1.1.4, 2.0.5, 3.0.2, 4.3.2, 5.2.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007619IN-MAL-2026-007615IN-MAL-2026-007613IN-MAL-2026-007611IN-MAL-2026-007617

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @immobiliarelabs/backstage-plugin-ldap-auth-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring