Over 29,000 downloads: Fake OpenAI Codex tool in npm repository leads to massive theft of authentication tokens
Security experts recently discovered a new supply chain attack in the npm repository targeting developers using the OpenAI Codex.
Security experts recently discovered a new supply chain attack in the npm repository targeting developers using the OpenAI Codex.
A tool published simultaneously on GitHub and npm was recently discovered to be malicious. It is called “codexui-android” and is described as a remote web user interface for the Codex platform, TechRadar reports .
The package became quite popular, garnering over 29,000 downloads per week. Part of the reason for its popularity was that it worked exactly as advertised and looked completely legitimate. The code published on GitHub remained “clean” at all times — meaning the public source code contained no signs of malicious behavior.
However, about a month after its release, the tool received an update in npm that added information-stealing code. First of all, it “hunted” for OpenAI login credentials.
When the developer runs this tool, it looks for their Codex authentication tokens and secretly transmits them to a server controlled by the attacker. One of these tokens (a refresh token) could potentially allow the attacker to continue accessing the victim's OpenAI account for an extended period of time without the need for a password.
The implications are quite dangerous, explained Charlie Eriksen, a researcher at Aikido Security who discovered and exposed the attack. In addition to the obvious — accessing the victim’s Codex sessions — the attacker could use the tokens to spend the user’s API balance, view projects or code they’re working on through Codex, and even impersonate the victim when interacting with OpenAI services.
“A refresh token has no expiration date,” Eriksen noted. “An attacker who has it can impersonate you without being detected and indefinitely. The stolen refresh_token from Codex is much more than just access to the chat interface; it’s permanent, hidden access to everything that account allows you to do.”
Aikido also said it discovered two Android apps published from the same account that also targeted Codex users. One of them, called “OpenClaw Codex Claude AI Agent,” ran this npm package in its own PRoot sandbox and sent all Codex credentials to the same server controlled by the attacker. This app has had over 50,000 downloads. Another app, called “Codex,” has had over 10,000 downloads.
Meta's AI support bot allowed hackers to effortlessly take over Instagram accounts: even two-factor protection didn't help
Meta's AI support bot allowed hackers to effortlessly take over Instagram accounts: even two-factor protection didn't help
Hackers hacked GitHub via VS Code extension and put the source code up for sale
Hackers hacked GitHub via VS Code extension and put the source code up for sale
Read the country's main IT news in our Telegram
Read the country's main IT news in our Telegram
