malware npm

@immobiliarelabs/backstage-plugin-gitlab-backend

discovered 2026-06-26

Backstage GitLab SCM backend plugin infected by Miasma worm Wave 5. Phantom Gyp binding.gyp trigger with ROT13+eval() obfuscated 4.8 MB index.js. Multiple historical versions infected. Used in enterprise CI/CD pipelines integrating Backstage with GitLab — compromise exposes GitLab tokens and CI/CD environment credentials.

Threat types

worm credential_stealer data_exfiltration

Malicious versions

  • 3.0.3
  • 5.2.1
  • 6.13.1

Campaigns

Techniques

Read the full analysis →