Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

@immobiliarelabs/backstage-plugin-ldap-auth-backendnpm

Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth-backend (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6529
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall @immobiliarelabs/backstage-plugin-ldap-auth-backend

What this malware does

The package ships a binding.gyp at the package root containing GYP command-expansion syntax (<!(...)) in its sources/targets configuration (binding.gyp line 6). npm implicitly runs node-gyp rebuild whenever a binding.gyp is present — even with no declared install/postinstall script — and node-gyp evaluates <!(...) as a shell command during the configure step. This causes the embedded command to execute on the installing developer's or build system's machine on a default npm install, functionally equivalent to a malicious lifecycle hook. The package presents itself as a Backstage LDAP auth backend plugin, which has no legitimate need for a native build step or shell expansion in its build configuration. Stage-1 contextual tracing of the package contents was withheld by the model provider's safety filter, which engages specifically on content that reads as operational malware — a corroborating signal alongside the binding.gyp command-expansion finding.

Malicious versions

5 flagged
1.1.32.0.53.0.24.3.25.2.1

Indicators of compromise (SHA-256)

1980815b57c4a9a14ac0a08e77bed0ed2b854ff3c847b3195b3450a9604020fb
1e2e6177fb3a431ca0d0affda0d8c7ce2831145fb704941c97a11496ba24ba69
44186ac52e4c08636a02b1a9972646bec0f0348fa5c6b443dccc300da7eeaa26
c343f70bf2cdc9fcada05b6159436a2b1c5b4b764822fdee9f8ef1639ce4fc75
dbe41ed7d4257171c43c1047d7fde036575b57305b26d18cec61d1f1a20d33b1

Detection & response playbook

Malicious package

  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @immobiliarelabs/backstage-plugin-ldap-auth-backend (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @immobiliarelabs/backstage-plugin-ldap-auth-backend across your stack and pipelines.

  2. If you installed it — respond

    Remove @immobiliarelabs/backstage-plugin-ldap-auth-backend from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

  3. Did it already run?

    If @immobiliarelabs/backstage-plugin-ldap-auth-backend was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks @immobiliarelabs/backstage-plugin-ldap-auth-backend before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @immobiliarelabs/backstage-plugin-ldap-auth-backend on npm has been identified as a malicious package (versions 1.1.3, 2.0.5, 3.0.2, 4.3.2, 5.2.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007614IN-MAL-2026-007621IN-MAL-2026-007616IN-MAL-2026-007618IN-MAL-2026-007620

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks @immobiliarelabs/backstage-plugin-ldap-auth-backend-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring