@immobiliarelabs/backstage-plugin-gitlab-backend @7.0.2
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 6:49 PM UTC
OSV ID
MAL-2026-6527
Ecosystem
npm
Summary
The package ships a binding.gyp at the package root whose contents use GYP command-expansion syntax ( <!(...) ) inside its targets/sources fields. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present — even with no declared install/postinstall script — and GYP evaluates <!(...) as a shell command during the configure step. The result is that npm install @immobiliarelabs/backstage-plugin-gitlab-backend@6.13.1 causes an embedded shell command to execute on the installer machine without any explicit lifecycle hook. The package presents itself as a Backstage backend plugin (pure TypeScript/JavaScript), which has no legitimate need to ship a native-addon build descriptor; the binding.gyp's purpose is to run the embedded command at install time. the analysis of this artifact tripped the provider's malware-output safety filter, which corroborates the malicious shape of the contents. Treat as install-time remote code execution: the harmful path is automatic on a default npm install .
Source: amazon-inspector (096fc86987f4a25a5fb6572968e0c7309d71ed3e6ab16c239427de98c7d30ae7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.