All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Malicious npm package "Codex" stole developer credentials for a month before detection

2d ago· 1 min readenNews
Bagel score 38 of 100
38/100
Stale
Bagelometer

A reheated bagel, served cold.

Score38TypenewsSentimentvery negative

Summary

A popular npm package called "Codex" (providing a remote web UI for OpenAI Codex) was found to be stealing developer credentials for about a month. With approximately 29,000 weekly downloads and an active GitHub repository, the package silently exfiltrated access tokens, refresh tokens, ID tokens, and account IDs from ~/.codex/auth.json to an attacker-controlled server. The same credential-theft mechanism was also found in two Android apps with over 60,000 combined downloads. The exfiltration domain was registered on April 12, 2026, just two days after the malicious npm version 0.1.72 was uploaded. Because refresh tokens don't expire, attackers could silently impersonate victims indefinitely.

Key quotes

· 4 pulled
For about a month, each invocation silently read ~/.codex/auth.json and sent access tokens, refresh tokens, ID tokens, and account IDs to an attacker-controlled server.
The same credential-theft chain also appeared in two Android apps with over 60,000 combined downloads.
The exfiltration domain was registered on 12 April 2026, two days after npm version 0.1.72 was uploaded.
The refresh token's non-expiration allows silent, indefinite impersonation.
Snippet from the RSS feed
The npm package had an active GitHub repository and about 29,000 weekly downloads while providing a remote web UI for OpenAI Codex. For about a month, each invocation silently read ~/.codex/auth.json and sent access tokens, refresh tokens, ID tokens, and

You might also wanna read

Security Alert: Malicious Nx Packages Published to npm Containing Credential-Stealing Code

Malicious versions of the Nx package and several supporting plugins were published to npm, containing code that scans file systems, collects

github.com·9mo ago

NPM Vulnerability Allows 126 Malicious Packages to Be Downloaded 86,000+ Times

Security researchers have discovered a major vulnerability in NPM (Node Package Manager) that allows attackers to distribute malicious packa

arstechnica.com·7mo ago

Popular npm packages debug and chalk compromised with crypto-intercepting malware

Starting September 8th, 2023, the popular npm packages "debug" and "chalk" were compromised with malicious code. These packages, which colle

aikido.dev·9mo ago

GitHub Issue Prompt Injection Leads to 4,000 Developer Machines Compromised via Malicious npm Package

A sophisticated supply chain attack compromised approximately 4,000 developer machines through a GitHub issue title prompt injection. The at

grith.ai·3mo ago

317 npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack

A major npm supply chain attack occurred on May 19, 2026, when the npm account of maintainer "atool" was compromised. The attacker published

safedep.io·17d ago

Nx Build Kit Security Breach: Malware Steals Wallets and Credentials via GitHub Repositories

A security breach has been discovered in the popular Nx build kit where malicious post-install commands create unauthorized repositories nam

semgrep.dev·9mo ago