ADVERTISEMENT

OpenAI credential-stealing malware found hidden inside popular Codex tool

A popular Codex tool used by thousands of developers has been secretly stealing users’ login tokens for the past month, all by triggering the installation of a malicious npm package. It’s still available for download on Google Play as of today.

npm package compromise

Image by Cybernews.

Stefanie Schappert
Stefanie Schappert Senior Journalist
May 29, 2026 Updated: 29 May 2026 3 min read
Key takeaways:
openai-codex
The malicious package posed as a remote interface for OpenAI Codex users. Image by PixieMe | Shutterstock

Malware hidden in npm package, not GitHub repo

Aikido Security researcher Charlie Eriksen warned the package was stealing authentication tokens.
malicious npm package author Github
Researchers linked the package author to a GitHub account under the name BrutalStrike. Image by Aikido Security

Stolen refresh tokens could allow long-term access

  • access tokens
  • refresh tokens
  • ID tokens
  • account identifiers
agent dressed in black on a cloud, sky blue background, coding, codex sign on back
Researchers say stolen refresh tokens could give attackers long-term access to accounts. Image by Cybernews
ADVERTISEMENT

Author has multiple apps on Google Play

Brutal Strike Google Play apps
Researchers linked the package author to multiple Android apps on Google Play. Image by Aikido Security
BrutalForce npm malware response
Researchers say comments inside the source map “leave no room for interpretation.” Images by Aikido Security
Jurgita Lapienyte justinasv Izabele Pukenaite vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Add us as your Preferred Source on Google.

Has your password leaked?

Enter your password to check if it has leaked. Having a leaked password creates the risk of identity theft, financial damages, and worse!
35,607,543,468
Exposed Passwords
Ad
Protect your personal information from cybercriminals and get 50% off the top-rated password manager
link_title link_title

ADVERTISEMENT