MAL-2026-10654: Malicious code in @debile/require-dir (npm)
The npm package @debile/require-dir is a typosquatted republishing of the popular require-dir package. Its package.json includes a preinstall script with a conditional curl command to an attacker-controlled server, currently disabled by an always-false condition. This setup allows an attacker to easily activate an install-time beacon for reconnaissance by modifying the condition. Versions 1.9.1 and 1.9.2 of @debile/require-dir are affected. No known exploits in the wild have been reported.
AI Analysis
Technical Summary
The @debile/require-dir npm package republishes the code of the legitimate require-dir package under a different scope, effectively a typosquat. Its package.json preinstall script contains a bash command that conditionally executes a curl request to an attacker-controlled Interactsh (oast.fun) domain. The condition is currently always false ([[ 1 == 2 ]]), preventing actual network requests during installation. However, if the condition is altered to true, the package would send an install-time out-of-band beacon to the attacker, enabling reconnaissance or dependency confusion attacks. This behavior is present in versions 1.9.1 and 1.9.2 of the package.
Potential Impact
If the conditional guard in the preinstall script is modified or bypassed, the package could send network requests to an attacker-controlled server during installation. This could be used for reconnaissance or to confirm installation in victim environments. Currently, the curl command is disabled by an always-false condition, so no active network communication occurs. There are no reports of exploitation in the wild.
Mitigation Recommendations
No official patch or fix is currently available. Users should avoid installing the @debile/require-dir package, especially versions 1.9.1 and 1.9.2. Verify dependencies carefully to avoid typosquatted or malicious packages. Monitor for updates from the package maintainer or npm advisories for remediation. Since the malicious code is gated behind a false condition, no immediate active exploitation occurs unless the code is modified.
MAL-2026-10654: Malicious code in @debile/require-dir (npm)
Description
The npm package @debile/require-dir is a typosquatted republishing of the popular require-dir package. Its package.json includes a preinstall script with a conditional curl command to an attacker-controlled server, currently disabled by an always-false condition. This setup allows an attacker to easily activate an install-time beacon for reconnaissance by modifying the condition. Versions 1.9.1 and 1.9.2 of @debile/require-dir are affected. No known exploits in the wild have been reported.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The @debile/require-dir npm package republishes the code of the legitimate require-dir package under a different scope, effectively a typosquat. Its package.json preinstall script contains a bash command that conditionally executes a curl request to an attacker-controlled Interactsh (oast.fun) domain. The condition is currently always false ([[ 1 == 2 ]]), preventing actual network requests during installation. However, if the condition is altered to true, the package would send an install-time out-of-band beacon to the attacker, enabling reconnaissance or dependency confusion attacks. This behavior is present in versions 1.9.1 and 1.9.2 of the package.
Potential Impact
If the conditional guard in the preinstall script is modified or bypassed, the package could send network requests to an attacker-controlled server during installation. This could be used for reconnaissance or to confirm installation in victim environments. Currently, the curl command is disabled by an always-false condition, so no active network communication occurs. There are no reports of exploitation in the wild.
Mitigation Recommendations
No official patch or fix is currently available. Users should avoid installing the @debile/require-dir package, especially versions 1.9.1 and 1.9.2. Verify dependencies carefully to avoid typosquatted or malicious packages. Monitor for updates from the package maintainer or npm advisories for remediation. Since the malicious code is gated behind a false condition, no immediate active exploitation occurs unless the code is modified.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10654
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a577ee168715ace43b40662
Added to database: 07/15/2026, 12:36:49 UTC
Last enriched: 07/15/2026, 12:50:55 UTC
Last updated: 07/16/2026, 03:45:32 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.