OpenAI Codex Tokens Stolen in npm Supply Chain Attack

Attackers published a malicious npm package called codexui-android specifically designed to steal OpenAI Codex authentication tokens from developer machines. The package, disguised as a legitimate Android UI tooling library, executed credential harvesting code on install. This is a textbook supply chain attack, and the OpenAI Codex token theft angle makes it particularly damaging for any team using AI-assisted development workflows.

How the codexui-android npm Package Stole Credentials

The attack followed a pattern security researchers have seen repeatedly in npm-based supply chain campaigns. The malicious package included a postinstall script in its package.json that ran automatically the moment a developer executed npm install. No additional interaction required.

That script scanned common locations where OpenAI API keys and Codex authentication tokens are stored. This includes environment variables, .env files in the working directory, shell configuration files like .bashrc and .zshrc, and VS Code or editor-specific config directories where extensions sometimes cache API credentials.

Once harvested, the tokens were exfiltrated to an attacker-controlled server over HTTPS, making the outbound traffic blend in with normal web requests. The entire process completed in seconds, silently, before the developer ever ran a single line of the package's advertised functionality.

Why Stolen OpenAI Codex Tokens Are High-Value Targets

An OpenAI Codex token isn't just an API key. Depending on your organization's setup, a compromised Codex token can expose proprietary source code sent to the model for completion, internal tooling logic, and potentially billing accounts tied to the API. If your team uses Codex in automated pipelines, an attacker with your token can query the API indefinitely on your bill while also poisoning completions or exfiltrating whatever context you send.

The financial exposure alone is significant. Teams running large-scale AI-assisted code review or generation pipelines can accumulate thousands of dollars in API costs within hours if a token is actively abused.

Identifying Whether You Installed the Malicious Package

Check your node_modules, package-lock.json, and package.json files for any reference to codexui-android. Run npm ls codexui-android in your project root. If it appears anywhere in your dependency tree, treat your OpenAI credentials as compromised immediately.

Beyond the direct install, audit your npm install logs if you have them. Some CI/CD environments retain install output, which may show whether the package appeared as a transitive dependency pulled in by something else you installed recently.

Steps to Protect Your Projects from npm Supply Chain Attacks

Rotate any OpenAI API keys or Codex tokens stored on machines where the package may have been installed. Do this before anything else.

After rotating credentials, take these steps to reduce future exposure:

• Use npm audit and tools like Socket.dev or Snyk to scan packages before installation, particularly unfamiliar ones.
• Restrict where API keys are stored. Prefer secrets managers (Vault, AWS Secrets Manager, 1Password CLI) over plain .env files or shell profiles.
• Enable OpenAI API key usage limits and alerts in your account dashboard so anomalous usage triggers a notification.
• Lock dependency versions with package-lock.json and verify checksums in CI pipelines.
• Run npm install in sandboxed environments when evaluating unfamiliar packages.

Automated scanning tools can also catch suspicious postinstall behavior before it reaches production. Scan your web assets for related vulnerabilities at /scan to check for exposed secrets and misconfigurations in your deployed applications.

You can also review related coverage on dependency confusion and supply chain risks in our npm security blog.

Does rotating my OpenAI API key fully stop the attack? Rotating immediately revokes attacker access via the stolen token. However, also audit any source code or prompts sent to Codex before rotation, since those may have been logged or exfiltrated during active exploitation.

How do I check if the package appeared as a transitive dependency? Run npm ls codexui-android from your project root. Also check package-lock.json with a text search since transitive dependencies don't always surface in top-level audits.

Can CI/CD pipelines be affected even if my local machine isn't? Yes. Any environment that ran npm install with this package in scope is affected. Rotate secrets stored in your CI environment variables as well, including any OpenAI tokens injected at build time.

Scan your project dependencies and deployed applications for exposed credentials and supply chain risks at VibeWShield /scan.