@immobiliarelabs/backstage-plugin-ldap-auth-backend @5.2.1

Summary

The package ships a binding.gyp at the package root containing GYP command-expansion syntax ( <!(...) ) in its sources/targets configuration (binding.gyp line 6). npm implicitly runs node-gyp rebuild whenever a binding.gyp is present — even with no declared install/postinstall script — and node-gyp evaluates <!(...) as a shell command during the configure step. This causes the embedded command to execute on the installing developer's or build system's machine on a default npm install , functionally equivalent to a malicious lifecycle hook. The package presents itself as a Backstage LDAP auth backend plugin, which has no legitimate need for a native build step or shell expansion in its build configuration. Stage-1 contextual tracing of the package contents was withheld by the model provider's safety filter, which engages specifically on content that reads as operational malware — a corroborating signal alongside the binding.gyp command-expansion finding.

Source: amazon-inspector (dbe41ed7d4257171c43c1047d7fde036575b57305b26d18cec61d1f1a20d33b1)