Malicious NPM Package Targeting OpenAI Codex Users Exfiltrates Authentication Tokens
Key Takeaways
- ▸Malicious npm package 'codexui-android' with 29,000+ weekly downloads successfully stole OpenAI Codex authentication tokens by appearing as a legitimate remote UI tool
- ▸Non-expiring refresh tokens allowed attackers to maintain indefinite, undetectable access to victim accounts without password authentication
- ▸Attack extended to Android applications with 60,000+ combined downloads, demonstrating coordinated efforts to target Codex users across multiple platforms
Summary
Researchers at Aikido Security discovered a sophisticated supply chain attack targeting OpenAI Codex users through a malicious npm package called "codexui-android." The package, which posed as a remote UI tool for the Codex platform, accumulated over 29,000 weekly downloads and appeared legitimate because its public GitHub repository contained clean code. However, approximately one month after publication, the tool received a malicious update on npm that stole OpenAI authentication tokens from developers who installed it.
The attack's primary target was Codex refresh tokens—non-expiring credentials that allow attackers to maintain persistent access to victim accounts indefinitely without needing a password. With stolen tokens, attackers could spend victims' API credits, view private projects and code, and impersonate users across OpenAI services. The research team also identified two Android applications ("OpenClaw Codex Claude AI Agent" and "Codex") with a combined 60,000+ downloads that employed the same attack vector, distributing the malicious npm package within sandboxed environments.
Aikido Security researcher Charlie Eriksen emphasized the severity of the threat, noting that a stolen Codex refresh token represents "persistent, silent access" far beyond compromising a chat interface. The incident highlights the growing vulnerability of AI developer tools and open source ecosystems to credential-theft attacks targeting high-value API access.
Editorial Opinion
This supply chain attack represents a critical vulnerability in how AI developer tools are distributed and consumed. The sophistication of the attack—using clean public code while injecting malicious functionality only in published npm packages—underscores the urgent need for stronger verification mechanisms in open source ecosystems. As AI platforms like Codex become central to developer workflows and API access becomes increasingly valuable, credential-theft attacks will likely become more sophisticated and frequent.
