A malicious npm package named codexui-android has compromised OpenAI Codex authentication tokens. Developers integrating this artificial intelligence into their projects are exposed to having their keys used without permission. For users, this poses a security risk to Codex-based services. It's time to review access and update passwords.
How malicious code exploits developer credentials đ
The codexui-android package disguises itself as a legitimate Android library, but upon installation, it executes a script that extracts authentication tokens stored in the developer's environment. These tokens allow unrestricted access to Codex APIs, opening the door to unauthorized queries or data leaks. The npm community has already removed the package, but those who downloaded it must rotate their keys immediately and audit their projects for any suspicious access.
The package that wanted to be Android but was a token thief đŠč
Someone thought it would be a good idea to call a package codexui-android that has nothing to do with Android and everything to do with a scam. It's like ordering a pizza and getting an electricity bill instead. Developers who installed it now have the dubious honor of having given their tokens to a stranger. Good thing changing passwords is free, because the lesson has been costly in time and dignity.