{"slug": "openai-codex-tool-linked-to-malicious-npm-supply-chain-attack", "title": "OpenAI Codex tool linked to malicious NPM supply chain attack", "summary": "A malicious npm package posing as a remote web UI tool for OpenAI Codex has been discovered in a supply-chain attack, exfiltrating authentication tokens from developers. The package, \"codexui-android,\" attracted over 29,000 weekly downloads before adding information-stealing code that targets OpenAI login credentials and non-expiring refresh tokens. Researchers at Aikido Security also identified two Android apps with over 60,000 combined downloads that send Codex credentials to the same attacker-controlled server, potentially allowing persistent account access and API credit theft.", "body_md": "Sign up with your email below to instantly access member features, newsletters and exclusive Insider perks\n\nBy submitting your information, you confirm you are aged 16 or over,\nhave read our\nPrivacy Policy\nand agree to the\nTerms & Conditions. Geographical rules apply.\n\nResearchers uncovered a malicious npm package posing as a Codex UI tool\n\nAttackers exfiltrated Codex authentication tokens, including non‑expiring refresh tokens\n\nAikido Security also found two Android apps targeting Codex users\n\nA newly discovered supply-chain attack on npm is targeting software developers using OpenAI Codex.\n\nCodex is OpenAI’s coding assistant and software engineering agent that can write and review code, fix bugs, run tests, and help developers build software with nothing but plain language input.\n\nRecently it was discovered that a tool published on both GitHub and npm was actually malicious. It is called “codexui-android”, and it is described as a remote web user interface for the Codex platform. It attracted more than 29,000 weekly downloads, so it was rather popular. One of the reasons for its popularity is because it worked as advertised and appeared legitimate. The code published on GitHub remained “clean” the whole time, meaning the public source code didn’t show any malicious behavior.\n\nHowever, approximately a month into its existence, the tool received an update on npm which added information-stealing code. It primarily hunted for OpenAI login credentials.\n\nWhen a developer runs the tool, it looks for their Codex authentication tokens and exfiltrates them to an attacker-controlled server. One of the tokens (the refresh token) can potentially allow an attacker to continue accessing the victim’s OpenAI account for an extended period of time without needing the password.\n\nThe implications are rather dangerous, explained Aikido Security researcher Charlie Eriksen, who found and disclosed the attack. Besides the obvious - accessing the victim’s Codex sessions - the attacker can use the tokens to spend the victim’s API credits, to view projects or code they’re working on through Codex, and even impersonate the victim when interacting with OpenAI services.\n\n\"The refresh_token doesn't expire,\" Eriksen said. \"An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface -- it's persistent, silent access to whatever that account can do.\"\n\nAre you a pro? Subscribe to our newsletter\n\nSign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!\n\nAikido also said it saw two Android apps, both published by the same account, who were also targeting Codex users. One is called OpenClaw Codex Claude AI Agent, running the npm package within its PRoot sandbox and sending all Codex credentials to the same, attacker-controlled server. This one had more than 50,000 downloads. The other one is called Codex and counts more than 10,000 downloads.\n\nSead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.\n\nYou must confirm your public display name before commenting\n\nPlease logout and then login again, you will then be prompted to enter your display name.", "url": "https://wpnews.pro/news/openai-codex-tool-linked-to-malicious-npm-supply-chain-attack", "canonical_source": "https://www.techradar.com/pro/security/openai-codex-tool-with-over-29-000-downloads-linked-to-malicious-npm-supply-chain-attack-stealing-authentication-tokens", "published_at": "2026-06-04 02:23:10+00:00", "updated_at": "2026-06-04 02:46:12.334144+00:00", "lang": "en", "topics": ["ai-tools", "ai-products", "ai-agents", "ai-safety"], "entities": ["OpenAI Codex", "Aikido Security", "codexui-android", "npm", "GitHub"], "alternates": {"html": "https://wpnews.pro/news/openai-codex-tool-linked-to-malicious-npm-supply-chain-attack", "markdown": "https://wpnews.pro/news/openai-codex-tool-linked-to-malicious-npm-supply-chain-attack.md", "text": "https://wpnews.pro/news/openai-codex-tool-linked-to-malicious-npm-supply-chain-attack.txt", "jsonld": "https://wpnews.pro/news/openai-codex-tool-linked-to-malicious-npm-supply-chain-attack.jsonld"}}