malware
npm
@immobiliarelabs/backstage-plugin-ldap-auth-backend
discovered 2026-06-26Backstage LDAP authentication backend plugin infected by Miasma worm Wave 5. Phantom Gyp binding.gyp trigger with ROT13+eval() obfuscated 4.8 MB index.js. Multiple historical versions infected. Handles enterprise LDAP/Active Directory authentication in Backstage — compromise exposes LDAP credentials and directory service access.
Threat types
worm credential_stealer data_exfiltration
Malicious versions
- 1.1.3
- 2.0.5
- 3.0.2
- 4.3.2
- 5.2.1
Campaigns
Indicators
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp Phantom Gyp binding.gyp Abuseuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp ROT13 with eval() Payload Obfuscationuses
- ttp T1140 Deobfuscate/Decode Files or Informationuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1528 Steal Application Access Tokenuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1567.001 Exfiltration to Code Repositoryuses