malware npm

@immobiliarelabs/backstage-plugin-ldap-auth-backend

discovered 2026-06-26

Backstage LDAP authentication backend plugin infected by Miasma worm Wave 5. Phantom Gyp binding.gyp trigger with ROT13+eval() obfuscated 4.8 MB index.js. Multiple historical versions infected. Handles enterprise LDAP/Active Directory authentication in Backstage — compromise exposes LDAP credentials and directory service access.

Threat types

worm credential_stealer data_exfiltration

Malicious versions

  • 1.1.3
  • 2.0.5
  • 3.0.2
  • 4.3.2
  • 5.2.1

Campaigns

Indicators

Techniques

Read the full analysis →