A new malicious supply chain campaign has been discovered targeting developers who use OpenAI Codex. The attack is embedded within a legitimate-looking npm package called codexui-android, which offers a remote web UI for OpenAI Codex and has garnered over 29,000 weekly downloads. Researchers found that for the past month, this package has been exfiltrating Codex authentication tokens to a server controlled by the attacker, with the malicious code introduced after the package gained user trust. AI
IMPACT Developers using OpenAI Codex via this tool are at risk of token theft, potentially compromising their access and data.
RANK_REASON This is a security vulnerability in a tool used by developers, not a core AI release or significant industry event.
Read on Mastodon — fosstodon.org →
AI-generated summary · Google Gemini · from 1 sources. How we write summaries →