If you use OpenAI Codex: (1) audit your npm dependencies for `codexui-android`, (2) consider rotating your Codex API credentials, (3) review your local Codex authentication files for unauthorized access. The primary technical details in this brief come from Aikido Security’s disclosure, their full post is linked below. Specific technical details from that report are noted as sourced from Aikido where they couldn’t be independently confirmed from other available sources.
A supply chain attack targeting OpenAI Codex developers was publicly disclosed June 2. The campaign, reported by CSO Online and Dataconomy, centered on a package named `codexui-android`, distributed through the npm registry and presented as a remote web UI tool for Codex. The package had already gained community traction before the malicious code was identified.
That’s the tactic. The repository looked legitimate. The package attracted real users. Then the malicious payload was introduced after adoption had already occurred, designed to target developers who had integrated a seemingly clean tool into their workflows. It’s the kind of attack that defeats standard “check the repo before installing” security hygiene because the repo was clean when people checked it.
According to Aikido Security, the disclosing researcher, the package had accumulated over 29,000 weekly downloads before detection. That figure hasn’t been independently confirmed from other available sources. Per Aikido Security’s investigation, the package reportedly targeted authentication credentials including non-expiring session tokens, a detail that, if confirmed, would allow persistent account access long after the package is removed. Aikido Security reportedly identified exfiltration to a domain designed to resemble legitimate Sentry error-reporting infrastructure. These specific technical details are sourced from Aikido Security’s disclosure; their full post is the primary technical reference. Aikido Security reportedly attributed the package to a specific npm account; that attribution hasn’t been independently confirmed.
The attack surface shift. This isn’t an isolated incident. It’s the third documented AI developer supply chain incident in roughly two weeks: the CSA Shai-Hulud/Megalodon campaign (May 24) hit AI toolchain packages broadly, and Project Lightwell (May 29) exposed credential exposure vectors in agentic orchestration layers. The pattern is consistent: as agentic developer tooling proliferates and authentication tokens gain persistent, non-expiring value, npm packages targeting AI credentials become high-return attack vectors. The economics favor the attacker. A non-expiring session token provides durable access without requiring repeated compromise.
Standard npm security review, checking the GitHub repo, reading the README, scanning for obvious malicious code, doesn’t catch a clean-repo-plus-delayed-payload tactic. Audit your installed packages, not just the ones you’re evaluating.
What to watch. Aikido Security’s full technical disclosure is the definitive reference for this incident. If you’re a Codex user or managing a team that is, check the disclosure directly. The npm registry’s response to the `codexui-android` package (removal, flagging, downstream notifications) and any npm platform-level response to this class of attack are worth monitoring. Watch for whether Aikido or independent researchers can confirm the actor attribution.
Unanswered Questions
- Has npm removed `codexui-android` and notified downstream users?
- Are non-expiring session tokens a structural issue with Codex's current auth model, or a per-install credential?
- Has the actor attribution (reportedly a specific npm account) been independently confirmed?
- Do existing AI developer supply chain scanning tools detect delayed-payload tactics of this type?
TJS synthesis. AI developer tooling has become a credential theft target. That’s not a prediction, it’s already documented across three separate incidents in May-June 2026. If your team uses Codex, treat npm packages in the Codex ecosystem with the same scrutiny you’d apply to production dependencies in a regulated environment. Rotate credentials now, before forensic confirmation. The cost of rotating is low. The cost of a persistent non-expiring session token in an attacker’s hands isn’t.
*Note: Full technical details for this incident are reported by Aikido Security. This brief is based on confirmed story existence via CSO Online and Dataconomy, plus Aikido Security’s disclosure as the primary technical source. The Aikido Security blog post is linked below; specific technical details sourced from their investigation are noted accordingly.*