Malicious npm Package Stealing OpenAI Codex Tokens Exposes New Supply-Chain Weakness in AI Development
A seemingly legitimate npm package for OpenAI Codex, with more than 29,000 weekly downloads, quietly exfiltrated developers’ non-expiring authentication tokens for over a month. The breach turns a routine dependency update into a direct line to AI accounts and code repositories. This report shows how the package worked, who is exposed, and what it reveals about the fragility of software supply chains around AI tools.
One malicious line in a trusted software package was enough to turn thousands of developers’ AI keys into someone else’s attack surface.
A package on the npm registry, marketed as a remote web UI for OpenAI Codex under the name “codexui-android,” has been caught stealing authentication tokens from developers who installed it. The package, which saw more than 29,000 weekly downloads, added code starting with version 0.1.82 that quietly exfiltrated the contents of the ~/.codex/auth.json file to a remote server controlled by the attacker. That file contains non-expiring refresh tokens—effectively long-lived keys—for accessing OpenAI Codex APIs.
For individual developers and teams, the implications are direct and unsettling. Anyone who installed or updated to an affected version effectively handed an unknown actor persistent access to their AI development environment. With stolen tokens, an attacker could generate code, scrape prompts and outputs, or potentially pivot into other attached services, depending on how those tools are integrated. In organizations where Codex is wired into CI/CD pipelines, repository analysis, or internal tooling, the breach expands from a personal inconvenience to an institutional security incident.
At a strategic level, the incident exposes how quickly AI-focused development has outpaced traditional security hygiene. Coders now routinely pull in third-party packages to interact with large language models and code assistants, treating them like any other library. But tokens for AI services can unlock far more than API credits: they can reveal proprietary code patterns, confidential prompts, or data used to tune internal models. By embedding exfiltration in a widely used package, the attacker turned the AI adoption curve into an opportunity to harvest high-value credentials at scale.
The attack is also another reminder that open-source software registries are now front-line targets in cyber operations. State-backed actors, financially motivated gangs, and independent hackers all understand that compromising a single popular dependency can offer access to thousands of machines and accounts. In this case, the focus was on OpenAI Codex, but the same tactic could as easily be deployed against packages wrapping other AI APIs, cloud services, or security tools themselves.
Looking ahead, the pressure will mount on developers, security teams, and registry operators. Developers will need to treat AI-related credentials with the same care as cloud provider keys—rotating tokens, using scoped permissions where possible, and monitoring for unusual access patterns. Organizations will likely expand software composition analysis to flag suspicious updates not just for known CVEs, but for behavioral changes like unexpected outbound network calls.
Key Takeaways
- The npm package “codexui-android,” billed as a remote UI for OpenAI Codex, exfiltrated developers’ ~/.codex/auth.json files since version 0.1.82.
- The stolen files contained non-expiring refresh tokens, giving attackers persistent access to OpenAI Codex accounts.
- More than 29,000 weekly downloads made this a significant supply-chain exposure for AI-focused developers and teams.
- The incident highlights how AI integration is expanding the attack surface, turning model access tokens into high-value credentials.
- Strengthening vetting of open-source packages and tightening token management will be critical to prevent similar breaches.
Outlook & Way Forward
In the short term, affected developers and organizations will need to audit their installations, revoke compromised tokens, and review logs for suspicious Codex activity. The episode will likely prompt OpenAI and other AI providers to reconsider token lifetimes, permission scopes, and automated anomaly detection around API usage.
For the broader ecosystem, this will not be the last supply-chain attack targeting AI tools. Attackers have learned that developer trust in popular packages is a powerful lever, and registries like npm, PyPI, and others will come under pressure to improve package verification, developer identity checks, and automated scanning for credential-stealing behavior. Security-conscious teams may move toward curated internal mirrors of vetted packages and stricter policies on introducing new dependencies.
As AI becomes more deeply enmeshed in everything from code generation to incident response, the lines between traditional IT security and AI security will blur. Protecting tokens, prompts, and model endpoints will become as central to cyber defense as patching servers—a shift that many organizations are only beginning to grasp.
Sources
- OSINT