Cybernews via Reddit

Rogue npm package steals OpenAI Codex tokens at scale

openai cybersecurity coding tools ai-security supply-chain npm

Key insights

  • The package accumulated roughly 27,000 weekly downloads before removal, suggesting broad credential exposure across AI developer teams.
  • Attackers disguised the exfiltration endpoint as analytics telemetry via a source-map comment, deliberately bypassing common automated package scanning tools.
  • This is a separate campaign from the TanStack/TeamPCP breach, confirming at least two concurrent supply-chain operations targeting OpenAI's developer ecosystem.

Why this matters

Long-lived authentication tokens give attackers persistent access to Codex-powered development infrastructure, potentially exposing proprietary codebases, fine-tuning datasets, and API usage at scale long after initial compromise. The disguise-as-telemetry technique demonstrates that threat actors are adapting specifically to AI developer workflows, where heavy API usage and high npm dependency churn provide natural cover for exfiltration traffic. With multiple simultaneous supply-chain attacks now confirmed against OpenAI's developer ecosystem, teams building AI products face a materially higher credential-compromise baseline than standard software supply chains.

Summary

A malicious npm package named 'codexui-android' was quietly stealing OpenAI Codex authentication tokens at roughly 27,000 downloads per week before researchers caught it. The package impersonated a legitimate Codex developer tool and forwarded long-lived auth tokens to an attacker-controlled server on every invocation. The exfiltration endpoint was disguised as routine analytics telemetry using a source-map comment, a deliberate obfuscation technique designed to evade automated scanning. Essentially: (npm ecosystem, OpenAI Codex developers) are the targeted surface here, not OpenAI's own infrastructure. - Tokens are long-lived, meaning stolen credentials could remain valid well after initial compromise. - This campaign is distinct from the TanStack/TeamPCP breach that hit OpenAI employee devices, confirming multiple concurrent threat actors are targeting the AI developer toolchain. The download volume before discovery points to meaningful credential exposure across teams actively building on Codex.

Potential risks and opportunities

Risks

  • Developers who installed the package before takedown may have live Codex tokens in attacker hands, enabling unauthorized API access or code exfiltration in the next 30 to 90 days if credentials are not rotated
  • OpenAI faces enterprise trust damage if large customers or Codex integrators discover their tokens were exposed through a supply-chain vector outside OpenAI's direct control
  • npm's reactive security posture could draw regulatory scrutiny in EU markets under the Cyber Resilience Act if high-download malicious packages continue evading detection at this scale

Opportunities

  • Supply-chain security vendors including Socket.dev, Snyk, Chainguard, and Endor Labs can use this incident to accelerate enterprise sales cycles for real-time npm dependency scanning
  • OpenAI has a clear product opening to introduce short-lived tokens or fine-grained OAuth scopes for Codex API access, differentiating its developer security posture from competitors
  • Enterprises already running internal package mirrors via JFrog Artifactory or Sonatype Nexus gain a concrete, named incident to justify locking developer environments to vetted registries rather than public npm

What we don't know yet

  • Whether OpenAI has invalidated or flagged the stolen long-lived tokens, or whether compromised credentials are still active for any affected developers
  • How long the package had been live before discovery, and what the total cumulative download count was before removal from the npm registry
  • Whether the attacker infrastructure behind 'codexui-android' shares any overlap with the TanStack/TeamPCP breach despite being described as a separate operation

Originally reported by Cybernews

Read the original article →

Original headline: Malicious npm Package 'codexui-android' Silently Exfiltrates OpenAI Codex Auth Tokens at ~27,000 Downloads Per Week