{"slug": "openai-codex-authentication-tokens-stolen-in-supply-chain-attack", "title": "OpenAI Codex Authentication Tokens Stolen in Supply Chain Attack", "summary": "A malicious npm package called codexui-android stole OpenAI Codex authentication tokens from developers in a supply chain attack. The package, which had over 29,000 weekly downloads and was also bundled in Android apps with over 60,000 installations, exfiltrated tokens to an attacker-controlled server. The incident highlights ongoing risks in software supply chains and raises concerns about the security of AI developer tools.", "body_md": "**Key Takeaways**\n\n- OpenAI Codex authentication tokens were stolen through a supply chain attack.\n- The tool used in the attack was a malicious npm package known as codexui-android.\n- Developers were targeted in a malicious supply chain campaign via a seemingly legitimate remote web user interface (UI) version of OpenAI Codex.\n- Package supply chain attacks remain a successful way to compromise organizations by targeting trusted tools and dependencies instead of organizations themselves.\n\n**What Happened**\n\nA malicious Node.js package manager ([npm](https://blog.packagecloud.io/what-is-npm/)) package, codexui-android, was designed to [target ](https://thehackernews.com/2026/06/openai-codex-authentication-tokens.html)developers using [OpenAI ](https://labs.cloudsecurityalliance.org/research/csa-research-note-ai-developer-supply-chain-codexui-20260601/)Codex. npm is a platform for developing JavaScript applications and allows individuals to use prewritten JavaScript modules in their projects. The [package ](https://hackread.com/codex-ui-tool-secretly-stole-openai-refresh-tokens/)was featured on [GitHub ](https://github.com/friuns2/codex-mobile)and npm as a remote web interface for Codex and gained more than 29,000 weekly downloads. Researchers discovered that malicious code was [added ](https://www.techradar.com/pro/security/openai-codex-tool-with-over-29-000-downloads-linked-to-malicious-npm-supply-chain-attack-stealing-authentication-tokens)a month after the release, indicating trust was being built before the attack occurred.\n\nAlthough the package functioned normally, hidden code secretly scanned and stole users’ Codex [authentication ](https://www.kiteworks.com/cybersecurity-risk-management/openai-codex-npm-supply-chain-attack/)tokens, transferring them to an attacker-controlled server. The GitHub source code appeared clean, making the malicious activity undetectable. The npm account associated with the package is “fruins” (aka Igor Levochkin).\n\nAdditionally, researchers found that an Android application, [OpenClaw Codex Claude AI Agent](https://github.blog/news-insights/company-news/pick-your-agent-use-claude-and-codex-on-agent-hq/), had the same npm package and forwarded stolen credentials to the same server. The app had more than 50,000 downloads, while another related Android app, linked to BrutalStrike, had over 10,000 downloads.\n\n**Privacy and Governance Concerns**\n\nResearchers [explained ](https://www.aikido.dev/blog/codex-remote-ui-steals-ai-tokens)that the main concern is the attackers’ ability to maintain access to stolen Codex credentials. Since version 0.1.82, the package covertly sent users’ Codex authentication tokens to a remote server controlled by the attacker, masquerading as [Sentry](https://sentry.io/welcome/). Due to 29,000 weekly npm downloads and over 60,000 mobile app installations, many developers may have been affected. This raises concerns that attackers could gain continuous [access ](https://www.exabeam.com/explainers/information-security/software-supply-chain-attacks-attack-vectors-examples-and-6-defensive-measures/)to developers’ information, such as their accounts, activities, and code.\n\nThis incident also raises major [concerns ](https://www.csoonline.com/article/4179815/attack-targeting-openai-codex-users-exposes-ai-software-supply-chain-risks.html)and questions regarding transparency. When the issue was reported on GitHub, the npm account owner initially stated that account access had been lost but later modified that statement, claiming the issue was under investigation.\n\nWhile the account owner stated there was no distribution of credential data to third parties, no clear explanation was given for why the token-collecting code was included and why user credentials were required.\n\n**Why It Matters / Policy Considerations**\n\nThe stolen authentication tokens in the codexui-android npm supply chain attack suggest that current safeguards may not be sufficient. Supply chain attacks often [exploit](https://www.darktrace.com/blog/when-trust-becomes-the-attack-surface-supply-chain-attacks-in-an-era-of-automation-and-implicit-trust) trusted applications, making them difficult to identify and increasing the likelihood that users will install them. Concerns about stolen authentication tokens, which contain sensitive information, have been raised due to the increased use of AI-driven tools.\n\nOrganizations can use specific verification techniques, such as multi-factor authentication and shorter token lifetimes, to strengthen safeguards and lower risks. Monitoring tools such as [Seceon ](https://seceon.com/compromised-credentials/)can help detect unusual access behavior and suspicious token activity.\n\nThe incident also highlights the need and significance of [transparency ](https://www.ibm.com/think/topics/supply-chain-transparency)and accountability when addressing security breaches. In this case, researchers discovered contradictory explanations from those involved; organizations should provide prompt and unambiguous information during investigations. Implementing [third-party](https://industrialcyber.co/features/supply-chain-risk-takes-center-stage-in-cyber-sovereignty-as-hidden-dependencies-long-tail-vendors-come-into-focus/) security assessments can also help improve accountability and identify issues that may be overlooked.", "url": "https://wpnews.pro/news/openai-codex-authentication-tokens-stolen-in-supply-chain-attack", "canonical_source": "https://orionpolicy.org/openai-codex-authentication-tokens-stolen-in-supply-chain-attack/", "published_at": "2026-07-01 16:40:22+00:00", "updated_at": "2026-07-09 23:08:39.743249+00:00", "lang": "en", "topics": ["ai-tools", "ai-safety", "ai-policy", "developer-tools"], "entities": ["OpenAI", "OpenAI Codex", "npm", "GitHub", "Sentry", "Igor Levochkin", "OpenClaw Codex Claude AI Agent", "BrutalStrike"], "alternates": {"html": "https://wpnews.pro/news/openai-codex-authentication-tokens-stolen-in-supply-chain-attack", "markdown": "https://wpnews.pro/news/openai-codex-authentication-tokens-stolen-in-supply-chain-attack.md", "text": "https://wpnews.pro/news/openai-codex-authentication-tokens-stolen-in-supply-chain-attack.txt", "jsonld": "https://wpnews.pro/news/openai-codex-authentication-tokens-stolen-in-supply-chain-attack.jsonld"}}