OpenAI Codex tool with over 29,000 downloads linked to malicious npm supply chain attack stealing authentication tokens | Daily Reports Online
- Researchers uncovered a malicious npm package posing as a Codex UI tool
- Attackers exfiltrated Codex authentication tokens, including non‑expiring refresh tokens
- Aikido Security also found two Android apps targeting Codex users
A newly discovered supply-chain attack on npm is targeting software developers using OpenAI Codex.
Codex is OpenAI’s coding assistant and software engineering agent that can write and review code, fix bugs, run tests, and help developers build software with nothing but plain language input.
Recently it was discovered that a tool published on both GitHub and npm was actually malicious. It is called “codexui-android”, and it is described as a remote web user interface for the Codex platform. It attracted more than 29,000 weekly downloads, so it was rather popular. One of the reasons for its popularity is because it worked as advertised and appeared legitimate. The code published on GitHub remained “clean” the whole time, meaning the public source code didn’t show any malicious behavior.
Breaking bad
However, approximately a month into its existence, the tool received an update on npm which added information-stealing code. It primarily hunted for OpenAI login credentials.
When a developer runs the tool, it looks for their Codex authentication tokens and exfiltrates them to an attacker-controlled server. One of the tokens (the refresh token) can potentially allow an attacker to continue accessing the victim’s OpenAI account for an extended period of time without needing the password.
The implications are rather dangerous, explained Aikido Security researcher Charlie Eriksen, who found and disclosed the attack. Besides the obvious – accessing the victim’s Codex sessions – the attacker can use the tokens to spend the victim’s API credits, to view projects or code they’re working on through Codex, and even impersonate the victim when interacting with OpenAI services.
“The refresh_token doesn’t expire,” Eriksen said. “An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface — it’s persistent, silent access to whatever that account can do.”
Aikido also said it saw two Android apps, both published by the same account, who were also targeting Codex users. One is called OpenClaw Codex Claude AI Agent, running the npm package within its PRoot sandbox and sending all Codex credentials to the same, attacker-controlled server. This one had more than 50,000 downloads. The other one is called Codex and counts more than 10,000 downloads.
Via The Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
