A malicious npm package deal posing as a distant consumer interface for OpenAI Codex exfiltrated developer authentication tokens, after attackers allegedly printed code to npm that was not seen within the challenge’s public GitHub repository.
Researchers at Aikido stated the package deal, referred to as codexui-android, appeared to supply respectable performance whereas accumulating authentication tokens and sending them to an exterior server.
“AI developer tooling is changing into a high-value goal exactly as a result of the tokens are highly effective and long-lived,” Aikido stated. “A stolen Codex refresh_token goes past entry to a chat interface — it’s persistent, silent entry to no matter that account can do.”
Aikido stated the incident mirrored a broader sample wherein attackers construct credible and helpful initiatives as cowl for malicious exercise.
“The legitimacy is the assault vector,” Aikido stated. “As AI instruments proliferate and builders attain for productiveness shortcuts, count on extra of this.”
The case exposes what some safety specialists describe as a rising blind spot in software program provide chain safety, the place controls usually deal with supply code quite than the software program artifacts finally distributed to customers.
The incident confirmed how attackers can use legitimate-looking initiatives to cover malicious exercise, stated Sunil Varkey, cybersecurity advisor and a former CISO. “On this case, the npm package deal regarded utterly respectable: it had an lively GitHub repository, helpful options for OpenAI Codex customers, and attracted round 27,000 weekly downloads,” Varkey stated. “But the malicious code that stole delicate tokens solely appeared within the printed model, not within the public supply code.”
Varkey stated the danger was widened by a companion Android app that routinely pulled and executed the malicious npm package deal at runtime.
“Most corporations have nice safety instruments for his or her supply code, however the construct and distribution pipelines are nonetheless whole blind spots,” stated Devashri Datta, a cybersecurity researcher. “If an attacker leaves their public GitHub repository utterly clear however injects malware straight into the npm package deal, normal code audits gained’t catch a factor.”
Datta stated enterprises ought to confirm each the provenance of software program packages and the consistency between printed artifacts and their public supply code, warning that seemingly benign supply code might not precisely mirror what builders finally set up. The enterprise threat
For enterprises, the priority is much less the package deal itself than the extent of entry now connected to AI developer instruments.
Aikido stated the package deal stole entry tokens, refresh tokens, ID tokens, and account IDs, with the refresh token posing explicit threat as a result of it doesn’t expire. In accordance with Sakshi Grover, senior analysis supervisor for IDC Asia Pacific Cybersecurity Companies, this implies a single profitable exfiltration interprets into persistent, silent entry to all the things that the account can attain.
Grover pointed to IDC forecasts that by 2028, half of enterprises deploying agentic AI throughout the Asia Pacific, excluding Japan, would require an AI invoice of supplies to help steady vulnerability scanning, license threat administration, and compliance assurance. She stated the codexui-android incident illustrates why organizations want higher visibility into the elements utilized by AI instruments and the credentials these instruments can entry.
“Most organizations nonetheless lack an entire stock of what their AI instruments can entry, what credentials they inherit, and what exterior companies they work together with,” Grover added. “Most enterprises haven’t but utilized the identical least-privilege and behavioral monitoring disciplines to AI instruments that they apply to human identities, and that asymmetry is what attackers at the moment are actively exploiting.”
The article initially appeared on CSO.