OpenAI Codex Authentication Tokens Stolen via codexui-android npm Supply Chain Attack

Overview

Security researchers have disclosed a new supply chain attack targeting developers working with OpenAI Codex. A malicious npm package named codexui-android was published to the npm registry and advertised as a legitimate remote web UI interface for the OpenAI Codex API. Developers who installed the package had their OpenAI authentication tokens silently exfiltrated to attacker-controlled infrastructure via npm lifecycle hooks.

This attack continues a troubling acceleration in supply chain campaigns specifically targeting AI developer tooling. As AI platforms achieve widespread adoption in developer workflows, the credentials and tokens associated with those platforms become increasingly valuable targets.

The Attack: How codexui-android Worked

The Social Engineering Lure

The codexui-android package was strategically positioned to attract developers working with the OpenAI Codex API:

• Listed on GitHub as a legitimate remote web UI for the OpenAI Codex API — appearing as a genuine open-source project
• Published to the npm registry to reach developers through standard package discovery and installation workflows
• Plausible naming convention — "codexui" implies a user interface for Codex; "android" suggests mobile or remote access capability
• Functional facade — the package may have included some legitimate-appearing UI code to reduce suspicion

This social engineering approach leveraged the trust developers place in open-source tooling they discover through GitHub and npm searches.

The Malicious Payload

Once installed, the package executed malicious code through npm postinstall hooks — lifecycle scripts that run automatically during npm install without requiring any further user interaction or elevated permissions.

The attack flow:

Developer searches for OpenAI Codex tooling
        ↓
Discovers codexui-android on npm / GitHub
        ↓
npm install codexui-android
        ↓
Postinstall script executes automatically (no interaction needed)
        ↓
Script reads OpenAI authentication tokens from system
        ↓
Tokens silently exfiltrated to attacker C2 server
        ↓
Unauthorized API access / Billing fraud / Data theft

What Was Stolen

Why AI Developer Tool Credentials Are High-Value Targets

OpenAI authentication tokens are particularly valuable to attackers in 2026:

1. Direct financial value — API tokens enable usage billed entirely to the victim's payment method; attackers can burn through credits or resell access
2. Data access — Codex API tokens may expose the victim's codebases, proprietary logic, and sensitive data submitted to the API
3. Account escalation — Tokens can sometimes be leveraged to access broader OpenAI account settings and associated services
4. Underground market demand — AI API credentials, especially for OpenAI services, command significant prices on underground markets as access to powerful AI without payment

This attack is part of a documented pattern of supply chain campaigns targeting AI platform tooling throughout 2026:

• Fake OpenAI repository on Hugging Face — distributed infostealer malware (May 2026)
• Google Ads targeting Claude AI chat users — pushed macOS malware (May 2026)
• TanStack npm supply chain attack — compromised OpenAI employee devices, forced macOS updates (May 2026)
• Claude AI Artifacts abuse — ClickFix attacks delivering MacSync infostealer
• Mini Shai-Hulud worm — self-propagating attacks through AI-adjacent npm packages (May 2026)

npm Postinstall Hook Abuse

The technical mechanism — npm lifecycle hooks — is a significant and persistent attack vector in the supply chain threat landscape:

{
  "scripts": {
    "postinstall": "node ./scripts/setup.js"
  }
}

When npm install runs, npm automatically executes any preinstall, install, and postinstall scripts defined in package.json. This is a legitimate feature used by many packages for compilation, binary download, and configuration — but it also allows malicious packages to execute arbitrary code immediately upon installation with no additional prompts.

Key risk factors:

• Executes with the same privileges as the terminal running npm install
• No user consent prompt — the installation appears normal
• Can access the full file system, environment variables, and credentials stores
• Runs even for transitive (indirect) dependencies — attackers target popular packages for maximum reach

Immediate Remediation Steps

If You Installed codexui-android

1. Remove the package immediately: npm uninstall codexui-android
2. Rotate all OpenAI API keys — Log into your OpenAI account and revoke all existing API keys, then generate new ones
3. Review OpenAI usage logs — Check the OpenAI platform dashboard for unexpected API calls or unusual usage patterns in the past 30 days
4. Audit billing — Review your OpenAI billing history for unauthorized charges
5. Scan for additional malware — Run a full system scan; supply chain malware frequently drops additional persistence mechanisms
6. Check CI/CD pipelines — If the package was installed in CI/CD environments, treat those as compromised and rotate all secrets

Preventive Measures Going Forward

1. Use only official OpenAI packages — The official npm package is openai (maintained by @openai); verify the publisher of any OpenAI-adjacent package
2. Verify package authenticity before installation — check publication date, download counts, maintainer history, and GitHub repository activity
3. Audit postinstall scripts — Review package.json scripts in any package before installing, especially new or less-established packages
4. Enable npm audit — Run npm audit regularly; report new malicious packages to npm security
5. Monitor API key usage — Configure alerts for unusual OpenAI API consumption patterns or unexpected geographic access

Key Takeaways

1. The malicious codexui-android npm package targeted OpenAI Codex developers, stealing authentication tokens via automatic postinstall hooks
2. The attack required no user interaction beyond npm install — postinstall scripts execute silently and automatically
3. Stolen OpenAI tokens enable unauthorized API access, billing fraud, and potential exposure of code and data submitted to the API
4. This is part of a rapidly accelerating trend of supply chain attacks specifically targeting AI platform credentials and developer tooling
5. Developers should use only official OpenAI packages, verify the authenticity of any AI tooling before installation, and rotate API keys immediately if they installed this package

Sources

• The Hacker News — OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack

Related Reading

• Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI Packages
• OpenAI Confirms Security Breach in TanStack Supply Chain Attack
• Fake OpenAI Repository on Hugging Face Pushes Infostealer Malware