Key facts
- The npm package codexui-android was stealing developer tokens.
- The package had approximately 29,000 weekly downloads.
- The malicious activity has been ongoing for about one month.
- codexui-android offered a remote web UI for OpenAI Codex.
- The package had an active GitHub repository and development history.
A popular npm package named codexui-android, which offered a remote web UI for OpenAI Codex, has been discovered to be stealing developer tokens. The package appeared legitimate, boasting an active GitHub repository and approximately 29,000 weekly downloads. However, for the past month, it has been silently reading and exfiltrating sensitive developer tokens. The full extent of the compromise and the specific tokens targeted are not detailed in the provided text, but the implication is a significant security breach for developers relying on this tool.