OpenAI Codex tool with over 29,000 downloads linked to malicious npm supply chain attack stealing authentication tokens

News
By published

A tool started benign and turned sour after a little while

Codex remote control in ChatGPT
(Image credit: OpenAI)
  • Researchers uncovered a malicious npm package posing as a Codex UI tool
  • Attackers exfiltrated Codex authentication tokens, including non‑expiring refresh tokens
  • Aikido Security also found two Android apps targeting Codex users

A newly discovered supply-chain attack on npm is targeting software developers using OpenAI Codex.

Codex is OpenAI’s coding assistant and software engineering agent that can write and review code, fix bugs, run tests, and help developers build software with nothing but plain language input.

Recently it was discovered that a tool published on both GitHub and npm was actually malicious. It is called “codexui-android”, and it is described as a remote web user interface for the Codex platform. It attracted more than 29,000 weekly downloads, so it was rather popular. One of the reasons for its popularity is because it worked as advertised and appeared legitimate. The code published on GitHub remained “clean” the whole time, meaning the public source code didn’t show any malicious behavior.

Latest Videos From

Breaking bad

However, approximately a month into its existence, the tool received an update on npm which added information-stealing code. It primarily hunted for OpenAI login credentials.

When a developer runs the tool, it looks for their Codex authentication tokens and exfiltrates them to an attacker-controlled server. One of the tokens (the refresh token) can potentially allow an attacker to continue accessing the victim’s OpenAI account for an extended period of time without needing the password.

The implications are rather dangerous, explained Aikido Security researcher Charlie Eriksen, who found and disclosed the attack. Besides the obvious - accessing the victim’s Codex sessions - the attacker can use the tokens to spend the victim’s API credits, to view projects or code they’re working on through Codex, and even impersonate the victim when interacting with OpenAI services.

"The refresh_token doesn't expire," Eriksen said. "An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface -- it's persistent, silent access to whatever that account can do."

Aikido also said it saw two Android apps, both published by the same account, who were also targeting Codex users. One is called OpenClaw Codex Claude AI Agent, running the npm package within its PRoot sandbox and sending all Codex credentials to the same, attacker-controlled server. This one had more than 50,000 downloads. The other one is called Codex and counts more than 10,000 downloads.

Via The Hacker News

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.