Immobiliare Labs Backstage npm Packages Hit by Phantom Gyp
ConfirmedDiscovered Jun 26, 2026
On June 26, 2026, multiple @immobiliarelabs Backstage plugin versions were published to npm with a binding.gyp node-gyp hook and a new 5 MB index.js payload. Treat affected Backstage builds and developer or CI installs as credential exposure until lockfiles, package caches, and downstream audits are clean.
10
Affected Packages
14
Observables
6
Sources
Timeline
| Date | Event | Description | Source |
|---|---|---|---|
| Jun 26, 2026 | Fresh source review | Reviewed direct and primary sources for the last-two-weeks supply-chain refresh; this preview intentionally excludes older Halting Problems article data. | Direct source |
Affected Software
| Package | Ecosystem | Version Range | Status | Confidence | Source |
|---|---|---|---|---|---|
| @immobiliarelabs/backstage-plugin-gitlab@1.0.1 | npm | unknown | Malicious | 90% | Direct source |
| @immobiliarelabs/backstage-plugin-gitlab@2.1.2 | npm | unknown | Malicious | 90% | Direct source |
| @immobiliarelabs/backstage-plugin-gitlab@3.0.3 | npm | unknown | Malicious | 90% | Direct source |
| @immobiliarelabs/backstage-plugin-gitlab@4.0.2 | npm | unknown | Malicious | 90% | Direct source |
| @immobiliarelabs/backstage-plugin-gitlab@5.2.1 | npm | unknown | Malicious | 90% | Direct source |
| @immobiliarelabs/backstage-plugin-gitlab@6.13.1 | npm | unknown | Malicious | 90% | Direct source |
| @immobiliarelabs/backstage-plugin-gitlab@7.0.2 | npm | unknown | Malicious | 90% | Direct source |
| @immobiliarelabs/backstage-plugin-gitlab-backend@3.0.3 | npm | unknown | Malicious | 90% | Direct source |
| @immobiliarelabs/backstage-plugin-gitlab-backend@4.0.2 | npm | unknown | Malicious | 90% | Direct source |
| @immobiliarelabs/backstage-plugin-gitlab-backend@5.2.1 | npm | unknown | Malicious | 90% | Direct source |
IOC Clipboard
14 IOCsurl
https://registry.npmjs.org/@immobiliarelabs/backstage-plugin-gitlab/-/backstage-plugin-gitlab-2.1.2.tgzhash
d830d5b00af9bfe60347dbda5e93d924aac37a39hash
7ae466337c9f0951feae7b30d6f4b8afc8066bf8hash
7b4d99626d9c8bfa9fa0f8006e6d37c66320e57dhash
92a67fe894bdcbb563cf8e09309e41ca34d4773ahash
a36134e065b6317977cefdd689e4f618634d4919hash
5987abaf99305c4d9be48ebf35f255cd37b2dbc6file_path
binding.gypfile_path
index.jsfile_path
package/binding.gypfile_path
package/index.jscommand
node-gyp rebuildcommand
node index.jscommand
binding.gypProvenance & Sources
| Source | Type | Reliability | Claims | Evidence |
|---|---|---|---|---|
| Direct source | direct | 95% | 1 | https://github.com/immobiliare/backstage-plugin-gitlab/issues/1052 |
| Primary research | primary research | 95% | 1 | https://www.stepsecurity.io/blog/immobiliarelabs-npm-packages-compromised |
| Primary research | primary research | 95% | 1 | https://registry.npmjs.org/@immobiliarelabs%2Fbackstage-plugin-gitlab |
| Primary research | primary research | 95% | 1 | https://registry.npmjs.org/@immobiliarelabs%2Fbackstage-plugin-gitlab-backend |
| Primary research | primary research | 95% | 1 | https://registry.npmjs.org/@immobiliarelabs%2Fbackstage-plugin-ldap-auth |
| Correlated source | correlated | 80% | 1 | https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/ |