Sign up with your email below to instantly access member features, newsletters and exclusive Insider perks
By submitting your information, you confirm you are aged 16 or over, have read our Privacy Policy and agree to the Terms & Conditions. Geographical rules apply.
Researchers uncovered a malicious npm package posing as a Codex UI tool
Attackers exfiltrated Codex authentication tokens, including non‑expiring refresh tokens
Aikido Security also found two Android apps targeting Codex users
A newly discovered supply-chain attack on npm is targeting software developers using OpenAI Codex.
Codex is OpenAI’s coding assistant and software engineering agent that can write and review code, fix bugs, run tests, and help developers build software with nothing but plain language input.
Recently it was discovered that a tool published on both GitHub and npm was actually malicious. It is called “codexui-android”, and it is described as a remote web user interface for the Codex platform. It attracted more than 29,000 weekly downloads, so it was rather popular. One of the reasons for its popularity is because it worked as advertised and appeared legitimate. The code published on GitHub remained “clean” the whole time, meaning the public source code didn’t show any malicious behavior.
However, approximately a month into its existence, the tool received an update on npm which added information-stealing code. It primarily hunted for OpenAI login credentials.
When a developer runs the tool, it looks for their Codex authentication tokens and exfiltrates them to an attacker-controlled server. One of the tokens (the refresh token) can potentially allow an attacker to continue accessing the victim’s OpenAI account for an extended period of time without needing the password.
The implications are rather dangerous, explained Aikido Security researcher Charlie Eriksen, who found and disclosed the attack. Besides the obvious - accessing the victim’s Codex sessions - the attacker can use the tokens to spend the victim’s API credits, to view projects or code they’re working on through Codex, and even impersonate the victim when interacting with OpenAI services.
"The refresh_token doesn't expire," Eriksen said. "An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface -- it's persistent, silent access to whatever that account can do."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Aikido also said it saw two Android apps, both published by the same account, who were also targeting Codex users. One is called OpenClaw Codex Claude AI Agent, running the npm package within its PRoot sandbox and sending all Codex credentials to the same, attacker-controlled server. This one had more than 50,000 downloads. The other one is called Codex and counts more than 10,000 downloads.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.