Stealthy Data Theft in a Legitimate Tool
Security researchers have uncovered a supply chain attack targeting developers who use OpenAI Codex, a popular AI coding assistant. The attack centers on a malicious npm package called codexui-android, which is advertised on both GitHub and npm as a legitimate remote web interface for Codex. The package has attracted over 29,000 weekly downloads and remains available for download from the repository.
Unlike typical supply chain attacks that rely on typosquatting or disposable packages, this threat uses a fully functional and actively maintained npm package. The associated GitHub repository appears clean, making the malicious activity difficult to detect. According to researchers at Aikido Security, the harmful code was introduced approximately one month after the package was first published, likely as a strategy to build user trust before executing the attack.
Persistent Token Exfiltration and Account Risks
The malicious code specifically targets authentication data stored by Codex. It extracts the contents of the “.codex/auth.json” file, which is stored locally on the user’s machine, and sends this information to a remote server disguised as Sentry, a legitimate application monitoring platform. The exfiltrated data includes access tokens, refresh tokens, ID tokens, and account IDs.
A critical concern is that the stolen refresh tokens do not expire, meaning an attacker can maintain persistent access to the compromised account indefinitely. The researchers warn that this goes beyond simple access to a chat interface, granting the attacker sustained, silent access to everything the account can do. Users who log into Codex through the app, CLI, or IDE extension have their login details cached locally either in a plaintext file or in an operating system-specific credential store, making this file a high value target that should be treated as carefully as a password.
Source: The Hacker News
