🚨 CAMPAIGN UPDATE 🚨
We have detected additional compromised packages and versions associated with the ongoing malicious campaign targeting Backstage plugins.
If you are using
@immobiliarelabs plugins within your environment (10K weekly downloads), audit your dependencies immediately. The newly identified compromised packages and versions are:
@ immobiliarelabs/backstage-plugin-gitlab 1.0.1, 2.1.2, 3.0.3, 4.0.2, 5.2.1, 6.13.1, 7.0.2
@ immobiliarelabs/backstage-plugin-gitlab-backend 3.0.3, 4.0.2, 5.2.1, 6.13.1, 7.0.2
@ immobiliarelabs/backstage-plugin-ldap-auth 1.1.4, 2.0.5, 3.0.2, 4.3.2, 5.2.1
@ immobiliarelabs/backstage-plugin-ldap-auth-backend 1.1.3, 2.0.5, 3.0.2, 4.3.2, 5.2.1
Secure your software supply chain by ensuring these specific versions are blocked. More updates to follow as our research continues. 👇
🚨 SECURITY ALERT 🚨
A new supply chain attack has been detected. A Shai Hulud worm variant dubbed "Alright Lets See If This Works" has hijacked 20 LeoPlatform npm packages, including "leo-logger", which impacts over 3.5K weekly downloads.
Audit your dependencies immediately. Full analysis and mitigation details will be live soon on our blog:
research.jfrog.com/post/shai…