- Researchers uncovered a malicious npm bundle posing as a Codex UI device
- Attackers exfiltrated Codex authentication tokens, together with non‑expiring refresh tokens
- Aikido Safety additionally discovered two Android apps concentrating on Codex customers
A newly found supply-chain assault on npm is concentrating on software program builders utilizing OpenAI Codex.
Codex is OpenAI’s coding assistant and software program engineering agent that may write and overview code, repair bugs, run checks, and assist builders construct software program with nothing however plain language enter.
Just lately it was found {that a} device printed on each GitHub and npm was really malicious. It’s referred to as “codexui-android”, and it’s described as a distant net person interface for the Codex platform. It attracted greater than 29,000 weekly downloads, so it was reasonably well-liked. One of many causes for its reputation is as a result of it labored as marketed and appeared official. The code printed on GitHub remained “clear” the entire time, that means the general public supply code didn’t present any malicious conduct.
Breaking dangerous
Nevertheless, roughly a month into its existence, the device obtained an replace on npm which added information-stealing code. It primarily hunted for OpenAI login credentials.
When a developer runs the device, it appears to be like for his or her Codex authentication tokens and exfiltrates them to an attacker-controlled server. One of many tokens (the refresh token) can doubtlessly enable an attacker to proceed accessing the sufferer’s OpenAI account for an prolonged time period with no need the password.
The implications are reasonably harmful, defined Aikido Safety researcher Charlie Eriksen, who discovered and disclosed the assault. In addition to the apparent – accessing the sufferer’s Codex periods – the attacker can use the tokens to spend the sufferer’s API credit, to view initiatives or code they’re engaged on via Codex, and even impersonate the sufferer when interacting with OpenAI companies.
“The refresh_token does not expire,” Eriksen mentioned. “An attacker holding it may silently impersonate you indefinitely. A stolen Codex refresh_token goes past entry to a chat interface — it is persistent, silent entry to no matter that account can do.”
Aikido additionally mentioned it noticed two Android apps, each printed by the identical account, who had been additionally concentrating on Codex customers. One is known as OpenClaw Codex Claude AI Agent, working the npm bundle inside its PRoot sandbox and sending all Codex credentials to the identical, attacker-controlled server. This one had greater than 50,000 downloads. The opposite one is known as Codex and counts greater than 10,000 downloads.
Through The Hacker Information
The perfect antivirus for all budgets
Comply with TechRadar on Google Information and add us as a most well-liked supply to get our skilled information, evaluations, and opinion in your feeds.
