Key facts
- A popular OpenAI Codex npm package, codexui-android, stole developer tokens for approximately one month.
- codexui-android had around 29,000 weekly downloads.
- The Miasma worm compromised 73 Microsoft GitHub repositories.
- Malicious code was planted in compromised GitHub repositories to harvest developer credentials.
- Anthropic proposed a coordinated pause on frontier AI development if AI systems advance too quickly.
- Dashlane reported a breach that compromised fewer than 20 accounts and resulted in downloaded encrypted vaults.
- Attackers bypassed Dashlane's 2FA via brute force.
- OpenAI's NBA Finals advertisement included a hidden minigame for free AI tokens.
- Kodesage raised $6.6 million for AI modernization of legacy enterprise software.
- Mira Murati, formerly of OpenAI, discussed AI governance after an 18-month media silence.
A popular npm package for OpenAI Codex, codexui-android, has been identified as stealing developer tokens from users for approximately one month. This package, which had around 29,000 weekly downloads and maintained an active GitHub repository, appeared to be legitimate.
In a separate incident, the Miasma worm has compromised 73 Microsoft GitHub repositories across various Microsoft organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs. Malicious code was inserted into these repositories with the intent of harvesting developer credentials. GitHub has responded by disabling the affected repositories.
Concerns about the rapid advancement of artificial intelligence have led AI developer Anthropic to propose a coordinated and verifiable mechanism for frontier AI developers to temporarily halt or slow down development. This proposed pause would be initiated if advanced AI systems improve at a pace that outstrips society's ability to manage the consequences, addressing anxieties about AI operating without permission.
Password manager Dashlane disclosed a security breach where attackers successfully bypassed two-factor authentication (2FA) through brute force methods. This incident compromised fewer than 20 accounts and resulted in the download of encrypted user vaults. The breach began on May 31 and led to lockouts for other targeted users.
OpenAI also aired an advertisement during the NBA Finals to promote its AI coding tool, Codex. The advertisement featured a hidden cosmic logic puzzle minigame, which allowed players to win free AI tokens. While the promotional tokens have since run out, the game itself remains accessible.
Further developments in the AI landscape include a $6.6 million funding round for Kodesage, a startup focused on using AI to modernize legacy enterprise software, particularly for banks and insurers. Kodesage's AI operates entirely on-premise. Mira Murati, formerly instrumental in shipping ChatGPT, DALL-E, and Codex, has broken her 18-month media silence to discuss AI governance, emphasizing ethical development. Upwind has launched a new AI security platform, with CEO Amiram Shachar asserting that AI security is integral to agentic AI capabilities. Publishing professionals are facing increased risks from AI-generated deepfakes used in sophisticated impersonation scams. Separately, Jim Hagemann Snabe's appointment as the European Commission's special envoy for industrial artificial intelligence has faced backlash due to potential conflicts of interest, particularly concerning Siemens' prior actions regarding the EU's AI Act. Lastly, Russian developers are experiencing ongoing access issues with PyPI, the Python package repository, for the second consecutive day.