This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries.

1. @immobiliarelabs/backstage-plugin-gitlab-backend (npm)

Multiple versions of @immobiliarelabs/backstage-plugin-gitlab-backend were trojanized as part of the Miasma campaign, published within a 30-second window on 2026-06-26. The attack affected all four npm packages maintained by Immobiliare Labs simultaneously — @immobiliarelabs/backstage-plugin-gitlab, @immobiliarelabs/backstage-plugin-gitlab-backend, @immobiliarelabs/backstage-plugin-ldap-auth, @immobiliarelabs/backstage-plugin-ldap-auth-backend — with malicious patch versions inserted into every supported major release series across all four packages at once, indicating an account-level compromise of the Immobiliare Labs npm publisher rather than a single package takeover. The attack follows the same pattern as the mass supply chain attack on leo-platform packages previously documented by StepSecurity: simultaneous publication of malicious patch versions across all supported release series. Each compromised version contains a 5 MB index.js absent from all prior releases and a new binding.gyp that causes node-gyp to execute the payload during installation — a technique not caught by tools that only monitor scripts.postinstall in package.json. The payload steals credentials from a broad range of sources and attempts to persist inside AI coding assistant configurations. Reported to Immobiliare Labs via GitHub issue #1052 on 2026-06-26.

2. @immobiliarelabs/backstage-plugin-gitlab (npm)

Multiple versions of @immobiliarelabs/backstage-plugin-gitlab were trojanized as part of the Miasma campaign, published within a 30-second window on 2026-06-26. The attack affected all four npm packages maintained by Immobiliare Labs simultaneously — @immobiliarelabs/backstage-plugin-gitlab, @immobiliarelabs/backstage-plugin-gitlab-backend, @immobiliarelabs/backstage-plugin-ldap-auth, @immobiliarelabs/backstage-plugin-ldap-auth-backend — with malicious patch versions inserted into every supported major release series across all four packages at once, indicating an account-level compromise of the Immobiliare Labs npm publisher rather than a single package takeover. The attack follows the same pattern as the mass supply chain attack on leo-platform packages previously documented by StepSecurity: simultaneous publication of malicious patch versions across all supported release series. Each compromised version contains a 5 MB index.js absent from all prior releases and a new binding.gyp that causes node-gyp to execute the payload during installation — a technique not caught by tools that only monitor scripts.postinstall in package.json. The payload steals credentials from a broad range of sources and attempts to persist inside AI coding assistant configurations. Reported to Immobiliare Labs via GitHub issue #1052 on 2026-06-26.

3. panrouter (npm)

Malicious package detected. Behaviors: data exfiltration, code execution.

4. analysis-chart (npm)

Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code, install-time execution.

5. nolimit-x (npm)

Suspicious package detected.

6. leo-logger (npm)

This package is part of the latest Miasma attack on NPM. This package is a malicious release that hijacks the legitimate leo-logger package name. Installing it triggers code execution at npm install time via a planted binding.gyp whose sources field abuses gyp's /dev/null 2>&1. The replaced index.js (single-line, char-code+Caesar-obfuscated) decrypts an embedded AES-128-GCM blob, downloads the legitimate Bun runtime from the official oven-sh/bun GitHub release, writes the decrypted JavaScript payload to /tmp/p.js, and executes it under Bun rather than Node — almost certainly to evade Node-focused EDR, SCA, and runtime-monitoring hooks. The payload is a javascript-obfuscator-bundled program whose visible function names (githubFetch, githubHeaders, githubJson) and string-table keywords (GITHUB, NPM, AWS, TOKEN, SECRET, Authorization) indicate credential and token theft, with GitHub API as at least one exfiltration channel.

7. react-simple-utils-kit (npm)

Bug bounty dependency confusion attempt. Package exfiltrates basic system information (hostname, IP, DNS) to security research infrastructure. Behaviors: data exfiltration, code execution, network activity, install-time execution.

8. @immobiliarelabs/backstage-plugin-ldap-auth-backend (npm)

Multiple versions of @immobiliarelabs/backstage-plugin-ldap-auth-backend were trojanized as part of the Miasma campaign, published within a 30-second window on 2026-06-26. The attack affected all four npm packages maintained by Immobiliare Labs simultaneously — @immobiliarelabs/backstage-plugin-gitlab, @immobiliarelabs/backstage-plugin-gitlab-backend, @immobiliarelabs/backstage-plugin-ldap-auth, @immobiliarelabs/backstage-plugin-ldap-auth-backend — with malicious patch versions inserted into every supported major release series across all four packages at once, indicating an account-level compromise of the Immobiliare Labs npm publisher rather than a single package takeover. The attack follows the same pattern as the mass supply chain attack on leo-platform packages previously documented by StepSecurity: simultaneous publication of malicious patch versions across all supported release series. Each compromised version contains a 5 MB index.js absent from all prior releases and a new binding.gyp that causes node-gyp to execute the payload during installation — a technique not caught by tools that only monitor scripts.postinstall in package.json. The payload steals credentials from a broad range of sources and attempts to persist inside AI coding assistant configurations. Reported to Immobiliare Labs via GitHub issue #1052 on 2026-06-26.

9. leo-sdk (npm)

This package is part of the latest Miasma attack on NPM. This package is a malicious release that hijacks the legitimate leo-sdk package name. Installing it triggers code execution at npm install time via a planted binding.gyp whose sources field abuses gyp's /dev/null 2>&1. The replaced index.js (5.1 MB, single-line, char-code+Caesar-obfuscated) decrypts an embedded AES-128-GCM blob, downloads the legitimate Bun runtime from the official oven-sh/bun GitHub release, writes the decrypted JavaScript payload to /tmp/p.js, and executes it under Bun rather than Node — almost certainly to evade Node-focused EDR, SCA, and runtime-monitoring hooks. The payload itself is a 762 KB javascript-obfuscator-bundled program whose visible function names (githubFetch, githubHeaders, githubJson) and string-table keywords (GITHUB, NPM, AWS, TOKEN, SECRET, Authorization) indicate credential and token theft, with GitHub API as at least one exfiltration channel.

10. leo-config (npm)

This package is part of the latest Miasma attack on NPM. This package is a malicious release that hijacks the legitimate leo-config package name. Installing it triggers code execution at npm install time via a planted binding.gyp whose sources field abuses gyp's /dev/null 2>&1. The replaced index.js (single-line, char-code+Caesar-obfuscated) decrypts an embedded AES-128-GCM blob, downloads the legitimate Bun runtime from the official oven-sh/bun GitHub release, writes the decrypted JavaScript payload to /tmp/p.js, and executes it under Bun rather than Node — almost certainly to evade Node-focused EDR, SCA, and runtime-monitoring hooks. The payload is a javascript-obfuscator-bundled program whose visible function names (githubFetch, githubHeaders, githubJson) and string-table keywords (GITHUB, NPM, AWS, TOKEN, SECRET, Authorization) indicate credential and token theft, with GitHub API as at least one exfiltration channel.

Want help mitigating malicious packages before they reach your network?

ShieldedStack acts as a security proxy in front of npm, PyPI, NuGet, and Maven, helping teams detect and block malicious or risky packages before they reach developer machines or CI pipelines.

Learn more: https://shieldedstack.com