You won't believe how hackers just stole thousands of OpenAI users' authentication tokens - what does this mean for your privacy and security?
Codex tokens were exfiltrated via a popular npm package, affecting users since v0.1.82 and enabling persistent account access.
Cybersecurity researchers have disclosed details of a malicious supply chain campaign targeting developers using OpenAI Codex through a legitimate-looking remote web UI called codexui-android. The tool, advertised on GitHub and npm, has been compromised since version 0.1.82, allowing hackers to exfiltrate Codex tokens and gain persistent account access. This vulnerability has affected thousands of users, with the exact number still unknown. The codexui-android package has been downloaded over 100,000 times, increasing the potential impact of the breach.
The breach directly affects users who rely on OpenAI Codex for development purposes, potentially compromising their projects and data. As a result, developers may face significant costs to rectify the situation, with estimates suggesting that the average cost of a data breach can exceed $1 million. This financial burden can be substantial, especially for small to medium-sized businesses or individual developers. The breach may also lead to a loss of trust in OpenAI Codex and its associated tools.
This incident is part of a larger trend of supply chain attacks targeting popular open-source packages on npm. In recent years, several high-profile breaches have occurred, including the compromise of the eslint-scope package in 2020. Insiders are aware that the ease of publishing packages on npm, combined with the lack of rigorous vetting, creates an environment conducive to these types of attacks. The OpenAI Codex breach highlights the need for increased security measures and vigilance in the open-source community.
In the coming weeks, OpenAI is expected to release a patch for the affected codexui-android package, which will be available on npm. The company will also provide guidance on how to revoke and reissue compromised authentication tokens. Notably, the breach has raised questions about the long-term viability of OpenAI Codex's current authentication system, with some experts suggesting that a more robust system may be needed to prevent similar breaches in the future.
Scientists just created a 'perfect die' that changes the game for online security and fairness - and it's powered by quantum physics!
You won't believe what's coming to the new Nintendo Switch 2 - a major game upgrade that will change your gaming experience
Capcom's shocking gaming announcements that will change your gaming experience
AI Superhero: How a robot just saved the internet from 20-year-old bugs
AI Takes Over Game Development: The Uncanny Valley of Machine-Generated Trailers
Google just killed a major exclusive feature - what does it mean for your phone?