Attack targeting OpenAI Codex users exposes AI software supply chain risks

A malicious npm package posing as a remote user interface for OpenAI Codex exfiltrated developer authentication tokens, after attackers allegedly published code to npm that was not visible in the project’s public GitHub repository. Researchers at Aikido said the package, called codexui-android, appeared to offer legitimate functionality while collecting authentication tokens and sending them to an external server. “AI developer tooling is becoming a high-value target precisely because the tokens are powerful and long-lived,” Aikido said. “A stolen Codex refresh_token goes beyond access to a chat interface — it’s persistent, silent access to whatever that account can do.” Aikido said the incident reflected a broader pattern in which attackers build credible and useful projects as cover for malicious activity. “The legitimacy is the attack vector,” Aikido said. “As AI tools proliferate and developers reach for productivity shortcuts, expect more of this.” The case exposes what some security experts describe as a growing blind spot in software supply chain security , where controls often focus on source code rather than the software artifacts ultimately distributed to users. The incident showed how attackers can use legitimate-looking projects to hide malicious activity, said Sunil Varkey , cybersecurity advisor and a former CISO. “In this case, the npm package looked completely legitimate: it had an active GitHub repository, useful features for OpenAI Codex users, and attracted around 27,000 weekly downloads,” Varkey said. “Yet the malicious code that stole sensitive tokens only appeared in the published version, not in the public source code.” Varkey said the risk was widened by a companion Android app that automatically pulled and executed the malicious npm package at runtime. “Most companies have great security tools for their source code, but the build and distribution pipelines are still total blind spots,” said Devashri Datta , a cybersecurity researcher. “If an attacker leaves their public GitHub repository completely clean but injects malware directly into the npm package, standard code audits won’t catch a thing.” Datta said enterprises should verify both the provenance of software packages and the consistency between published artifacts and their public source code, warning that seemingly benign source code may not accurately reflect what developers ultimately install. The enterprise risk For enterprises, the concern is less the package itself than the level of access now attached to AI developer tools . Aikido said the package stole access tokens, refresh tokens, ID tokens, and account IDs, with the refresh token posing particular risk because it does not expire. According to Sakshi Grover , senior research manager for IDC Asia Pacific Cybersecurity Services, this means a single successful exfiltration translates into persistent, silent access to everything that the account can reach. Grover pointed to IDC forecasts that by 2028, half of enterprises deploying agentic AI across Asia Pacific excluding Japan will require an AI bill of materials to support continuous vulnerability scanning, license risk management, and compliance assurance. She said the codexui-android incident illustrates why organizations need better visibility into the components used by AI tools and the credentials those tools can access. “Most organizations still lack a complete inventory of what their AI tools can access, what credentials they inherit, and what external services they interact with,” Grover added. “Most enterprises have not yet applied the same least-privilege and behavioral monitoring disciplines to AI tools that they apply to human identities, and that asymmetry is what attackers are now actively exploiting.”