OpenAI Codex tool linked to malicious NPM supply chain attack (www.techradar.com)

A recent supply-chain attack has been discovered targeting developers using OpenAI's Codex, a popular coding assistant tool. A malicious npm package named “codexui-android” was posed as a legitimate UI tool for Codex, amassing over 29,000 weekly downloads. Initially, the package seemed harmless, with its GitHub code appearing clean. However, an update introduced code designed to exfiltrate Codex authentication tokens, including non-expiring refresh tokens, which could allow attackers unfettered access to victims' OpenAI accounts. The implications of this breach are significant for the AI/ML community, as it not only exposes the vulnerabilities within open-source dependencies but also highlights the potential for serious misuse of authentication tokens. Attackers could gain access to sensitive project information and API credits, allowing them to impersonate developers indefinitely. Aikido Security researchers also noted the emergence of two additional malicious Android apps targeting Codex users, further underscoring the need for heightened security awareness in the software development community. The incident serves as a stark reminder of the risks associated with supply chain vulnerabilities in software development.