{
  "title": "Immobiliare Labs Backstage npm Packages Hit by Phantom Gyp",
  "summary": "On June 26, 2026, multiple @immobiliarelabs Backstage plugin versions were published to npm with a binding.gyp node-gyp hook and a new 5 MB index.js payload. Treat affected Backstage builds and developer or CI installs as credential exposure until lockfiles, package caches, and downstream audits are clean.",
  "date": "2026-06-26",
  "severity": "critical",
  "tags": [
    "npm",
    "backstage",
    "node-gyp",
    "supply-chain",
    "credential-theft"
  ],
  "sources_count": 6,
  "indicators": {
    "slug": "immobiliarelabs-backstage-npm-phantom-gyp",
    "since": "2026-06-26T15:00:49Z",
    "until": "2026-06-26T23:59:59Z",
    "ecosystem": "",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [],
    "versions": [],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [],
    "paths": [],
    "services": [],
    "domains": [
      "binding.gyp"
    ],
    "urls": [],
    "ips": [],
    "hashes": [
      "7ae466337c9f0951feae7b30d6f4b8afc8066bf8",
      "7a879ed69a8191df5c68535f6ac41b830577b698de943c66ff40e51482d90d79"
    ],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": []
  }
}