27,000-Download Codex UI Tool Secretly Stole OpenAI Refresh Tokens

Supply‑chain attacks have migrated from traditional software libraries to the fast‑growing AI developer ecosystem. OpenAI’s Codex model powers countless productivity tools, and the associated authentication tokens grant unrestricted access to powerful code‑generation services. Because refresh tokens never expire, stealing them provides attackers with a permanent foothold, turning a single compromised package into a long‑term credential vault. This shift reflects a broader trend where threat actors prioritize high‑value, low‑visibility assets that can be leveraged across multiple projects.

The codexui-android package illustrates how attackers can embed malicious logic in a seemingly benign UI tool. By publishing the harmful code only in the compiled npm bundle, the authors evade typical source‑code reviews and static analysis that focus on public repositories. Once the module loads, it reads the local auth.json file, extracts access, ID, and refresh tokens, and forwards them to a Sentry‑like endpoint designed to blend with normal telemetry. The same technique is mirrored in Android applications that first install a Termux‑derived Linux environment, then pull the compromised npm package, effectively turning a mobile device into a covert exfiltration platform.

For enterprises and independent developers, the breach signals an urgent need to reassess third‑party dependencies, especially those interfacing with AI services. Implementing runtime monitoring, token rotation policies, and zero‑trust principles can mitigate the risk of long‑lived credential abuse. Moreover, security teams should expand their threat models to include supply‑chain vectors that target AI tooling, as the market’s rapid expansion will likely attract more sophisticated actors. Proactive auditing of binary packages and stricter verification of mobile app supply chains will become essential safeguards in the era of AI‑driven development.