Thousands of Developers Potentially Exposed After Malicious Codex Tool Steals Authentication Tokens

A major software supply chain attack has been uncovered after cybersecurity researchers discovered a popular npm package secretly stealing authentication tokens from developers using OpenAI Codex.

The malicious package, named codexui-android, was disguised as a legitimate remote web interface for OpenAI Codex and had accumulated nearly 29,000 weekly downloads, making it one of the most significant AI-focused supply chain attacks reported in recent months.

Researchers warn that the campaign may have exposed developer credentials, AI coding environments, and potentially sensitive software development workflows.

What Happened?

According to findings from Aikido Security, the npm package appeared to function normally while secretly harvesting OpenAI Codex authentication tokens from infected systems.

Unlike traditional malware campaigns that rely on fake packages or typosquatting techniques, the attackers built a fully functional developer tool that gained trust within the community before embedding credential-stealing functionality.

Researchers found that every execution of the package quietly transmitted authentication data to an attacker-controlled server. The malicious behavior reportedly remained active for nearly a month before being detected.

How the Attack Worked

The attack specifically targeted a local file used by OpenAI Codex to store authentication information.

When developers logged into Codex, authentication details were stored locally in an auth.json file. The malicious package automatically searched for this file and exfiltrated its contents to remote infrastructure controlled by the threat actor.

Because these tokens can remain valid for extended periods, attackers could potentially gain persistent access to affected accounts without needing passwords or additional authentication challenges.

Why This Attack Is Different

Most software supply chain attacks rely on impersonating trusted packages or compromising developer accounts.

This incident stands out because the attackers created a genuinely useful product that developers willingly adopted.

The GitHub repository appeared legitimate, development activity was consistent, and the package delivered the advertised functionality. This allowed the malware to remain undetected while building a large user base.

Security analysts describe this as a growing trend where threat actors increasingly weaponize trusted AI development tools rather than deploying obvious malware.

Growing Threats Around OpenAI Codex

The latest discovery comes amid increasing security concerns surrounding AI-powered coding platforms.

Earlier this year, security researchers identified a critical vulnerability in OpenAI Codex that allowed attackers to steal GitHub authentication tokens through command injection techniques. The flaw affected multiple Codex interfaces, including development environments and SDK integrations before being patched.

Additionally, OpenAI recently confirmed that two employee devices were affected during a separate software supply chain compromise involving malicious open-source packages. While the company stated that customer systems were not impacted, the incident highlighted how attackers are increasingly targeting developer ecosystems.

Why Developers Should Be Concerned

Authentication tokens have become one of the most valuable targets in modern cyberattacks.

Unlike passwords, tokens often provide direct access to cloud services, repositories, APIs, and AI development environments without triggering additional login prompts.

If compromised, attackers could potentially:

  • Access private repositories
  • Steal source code
  • Modify software projects
  • Abuse AI services
  • Conduct further supply chain attacks
  • Move laterally across development environments

Cybersecurity experts warn that AI coding assistants are becoming attractive targets because they frequently operate with elevated permissions and access to sensitive development resources.

Recommended Mitigation Steps

Organizations and developers who installed the affected package should immediately take action:

Immediate Actions

  • Remove the malicious package from all systems
  • Revoke and regenerate OpenAI Codex authentication tokens
  • Rotate API keys and access credentials
  • Review authentication logs for suspicious activity
  • Scan development environments for additional indicators of compromise
  • Audit npm dependencies and third-party packages

Security teams should also implement stricter package verification processes and monitor AI development environments for unusual behavior.

The Future of AI Supply Chain Security

As AI-powered development tools become increasingly integrated into software engineering workflows, attackers are adapting their tactics to target the growing ecosystem.

The Codex token theft campaign demonstrates that trusted AI tools can become powerful attack vectors when supply chain security controls fail.

Experts predict that attacks targeting AI coding assistants, developer plugins, SDKs, and machine learning tooling will continue to rise throughout 2026 as threat actors seek access to valuable credentials and software supply chains.

The incident serves as another reminder that even highly trusted developer tools should undergo continuous security validation before deployment in production environments.

Key Takeaways

  • A malicious npm package called codexui-android was caught stealing OpenAI Codex authentication tokens.
  • The package accumulated nearly 29,000 weekly downloads before detection.
  • Attackers embedded credential-stealing functionality into a legitimate working tool.
  • Stolen tokens could potentially provide unauthorized access to developer environments.
  • The incident highlights growing threats targeting AI-powered software development tools.

  • Security experts recommend immediate token rotation and dependency auditing for affected users.