@immobiliarelabs/backstage-plugin-ldap-auth @5.2.1

Summary

The package ships a binding.gyp at the tarball root that contains GYP command-expansion syntax (<!(...) / <!@(...)) in its sources/targets configuration (binding.gyp line 6). npm implicitly invokes node-gyp rebuild whenever a binding.gyp is present — even with no declared install/postinstall script — and node-gyp evaluates <!(...) as a shell command during the configure step. This causes attacker-controlled shell to execute on the installer's machine on a default npm install , equivalent to a postinstall lifecycle hook. The package presents itself as an LDAP auth plugin for Backstage, a pure-JavaScript role for which a native addon (and thus a binding.gyp performing shell expansion) is not warranted. The traced content additionally tripped the model safety filter on output, corroborating the malicious shape of the embedded command. Installer impact: arbitrary code execution under the user running npm install , before any application code is invoked.

Source: amazon-inspector (e447b204a3dbe39ad2390ad721dfc14f32b64e2c27d8b4efaf99a27e9cde7b92)