A malicious npm package named codexui-android, impersonating a legitimate OpenAI Codex development tool, was accumulating approximately 29,000 weekly downloads before its discovery — silently harvesting OpenAI Codex authentication tokens from developers’ machines with each installation.
How codexui-android Impersonated an OpenAI Codex SDK to Harvest Developer Tokens
The package used typosquatting and convincing metadata to present itself as a legitimate Codex Android SDK component on the npm registry. Developers who installed it unknowingly exposed their OpenAI authentication tokens, which can grant access to Codex-powered projects, AI API resources, and enterprise AI deployments associated with those credentials. No CVE has been assigned — this is a malicious package rather than a flaw in a legitimate product.
The 29,000 Weekly Download Scale and the Targeting of AI Developer Workflows
With roughly 29,000 weekly downloads, codexui-android achieved significant distribution before detection. The attack was constructed specifically around AI developer workflows — targeting professionals who integrate OpenAI Codex into their development pipelines. Stolen Codex tokens carry more value than generic API credentials: they can unlock access to billing accounts, proprietary code generation outputs, fine-tuned models, and expensive compute resources tied to the victim’s OpenAI account.
AI Authentication Credentials as a Growing Supply Chain Attack Target
The codexui-android campaign reflects a documented trend of attackers pivoting toward AI-adjacent developer tooling as a high-value credential target. Enterprise AI deployments built on OpenAI Codex often incorporate proprietary prompts, custom model configurations, and integration with internal data sources. A stolen authentication token can expose all of these, making AI platform credentials a qualitatively different category of theft from traditional API key compromise.
What Developers Who Installed codexui-android Should Do
The package has been removed from the npm registry, but any OpenAI authentication tokens present on machines where codexui-android was installed should be treated as compromised and revoked immediately through the OpenAI developer console. Developers should audit their CI/CD pipeline configurations for any automated installs of the package and review access logs for unauthorized use of Codex API resources. Token revocation is the only way to terminate attacker access, regardless of whether anomalous usage has been observed.
