MULTIPLE npm packages maintained by Immobiliare Labs were compromised on June 26, 2026, running a malicious payload during installation via a 'binding.gyp' hook. Affected packages include various Backstage plugins, which harvest credentials from GitHub Actions, AWS, GCP, and Azure, among others. Static analysis revealed a new 5 MB 'index.js' in version 2.1.2, indicating a significant alteration from prior clean versions.
The attack shares similarities with previous supply chain attacks and includes capabilities for credential harvesting and self-propagation. StepSecurity has issued alerts and developed tools for detection and remediation.