BotBeat
...
← Back

> ▌

OpenAIOpenAI
INDUSTRY REPORTOpenAI2026-06-04

Malicious NPM Package Targeting OpenAI Codex Users Exfiltrates Authentication Tokens

Key Takeaways

  • ▸Malicious npm package 'codexui-android' with 29,000+ weekly downloads successfully stole OpenAI Codex authentication tokens by appearing as a legitimate remote UI tool
  • ▸Non-expiring refresh tokens allowed attackers to maintain indefinite, undetectable access to victim accounts without password authentication
  • ▸Attack extended to Android applications with 60,000+ combined downloads, demonstrating coordinated efforts to target Codex users across multiple platforms
Source:
Hacker Newshttps://www.techradar.com/pro/security/openai-codex-tool-with-over-29-000-downloads-linked-to-malicious-npm-supply-chain-attack-stealing-authentication-tokens↗

Summary

Researchers at Aikido Security discovered a sophisticated supply chain attack targeting OpenAI Codex users through a malicious npm package called "codexui-android." The package, which posed as a remote UI tool for the Codex platform, accumulated over 29,000 weekly downloads and appeared legitimate because its public GitHub repository contained clean code. However, approximately one month after publication, the tool received a malicious update on npm that stole OpenAI authentication tokens from developers who installed it.

The attack's primary target was Codex refresh tokens—non-expiring credentials that allow attackers to maintain persistent access to victim accounts indefinitely without needing a password. With stolen tokens, attackers could spend victims' API credits, view private projects and code, and impersonate users across OpenAI services. The research team also identified two Android applications ("OpenClaw Codex Claude AI Agent" and "Codex") with a combined 60,000+ downloads that employed the same attack vector, distributing the malicious npm package within sandboxed environments.

Aikido Security researcher Charlie Eriksen emphasized the severity of the threat, noting that a stolen Codex refresh token represents "persistent, silent access" far beyond compromising a chat interface. The incident highlights the growing vulnerability of AI developer tools and open source ecosystems to credential-theft attacks targeting high-value API access.

Editorial Opinion

This supply chain attack represents a critical vulnerability in how AI developer tools are distributed and consumed. The sophistication of the attack—using clean public code while injecting malicious functionality only in published npm packages—underscores the urgent need for stronger verification mechanisms in open source ecosystems. As AI platforms like Codex become central to developer workflows and API access becomes increasingly valuable, credential-theft attacks will likely become more sophisticated and frequent.

AI AgentsMLOps & InfrastructureCybersecurityPrivacy & Data

More from OpenAI

OpenAIOpenAI
RESEARCH

OpenAI's Advanced Models Enable Autonomous Vulnerability Research on Embedded Systems

2026-07-19
OpenAIOpenAI
PRODUCT LAUNCH

OpenAI Releases GPT-5.6 with Customizable Reasoning Effort Levels

2026-07-18
OpenAIOpenAI
RESEARCH

OpenAI's GPT-5.6 Pro Solves 30-Year-Old Complexity Theory Problem

2026-07-18

Comments

Suggested

AnthropicAnthropic
UPDATE

Anthropic Extends Claude Code 50% Weekly Limit Increase Through August 19

2026-07-19
ByteDanceByteDance
POLICY & REGULATION

China Bans AI Romantic Partners for Minors, Forces Millions to Abandon Virtual Companions

2026-07-19
AnthropicAnthropic
RESEARCH

Researchers Discover 'Context Bombing' Defense Against AI Hacking Agents

2026-07-19
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us