Bottom line: Attackers exploited a seemingly legitimate npm package with 27,000 weekly downloads to steal refresh tokens that grant unlimited access to accounts.
An npm package distributed under the name codexui-android exfiltrated developer authentication tokens despite malicious code being absent from the public GitHub repository. The incident reveals a security gap in the software supply chain that also applies to AI developer tools.
Security firm Aikido identified the package codexui-android, which posed as a remote UI for OpenAI Codex and harvested authentication tokens. The package was available via npm and featured an active GitHub repository with seemingly useful functionality. However, attackers inserted malicious code only into the npm distribution, not into the public source code repository. An accompanying Android app automated the loading and execution of the faulty package at runtime.
The method of data theft is particularly critical: The package exfiltrated access tokens, refresh tokens, ID tokens, and account IDs. Refresh tokens are a high-risk factor because they do not expire. A stolen refresh token grants attackers persistent, silent access to all resources of the compromised account. Aikido warns that “Codex tokens go beyond pure chat interface access and enable unlimited access to everything the account can reach.”
The incident illustrates a protection gap in software supply chain security. Organizations typically focus their controls on source code, not on the artifacts that developers ultimately receive. A former CISO explains: “Legitimacy is the attack vector.” Developers turn to productivity tools like OpenAI Codex without anticipating manipulation. While standard code audits verify clean GitHub repositories, attackers can inject malware directly into the npm distribution.
For enterprises, the larger risk lies in the fact that AI developer tools now carry high privilege levels. IDC forecasts that by 2028, half of enterprises in the Asia-Pacific region using agentic AI will require an “AI Bill of Materials” to continuously scan for vulnerabilities, manage licensing risks, and ensure compliance. Many organizations currently lack a complete inventory of which resources their AI tools can access, which credentials they inherit, and which external services interact with them. Most enterprises have not yet applied the same least-privilege and behavioral monitoring standards to AI tools as they do to human identities.
Source: www.csoonline.com · Published June 2, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 of the EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.