Malicious npm packages target developer environments

Cybersecurity researchers have disclosed details of malicious supply chain campaigns targeting developers through compromised npm packages. One campaign involves a functional tool that steals OpenAI Codex authentication tokens [1], while another has impacted over 320 packages to harvest CI/CD secrets [2]. A separate effort linked to a North Korean actor uses AI-assisted code commits to target cryptocurrency developers [3].

Key takeaways

• The codexui-android package exfiltrates OpenAI Codex tokens to a remote server [1].
• The Mini Shai-Hulud campaign compromised a maintainer account to infect over 320 npm packages [2].
• The PromptMink campaign used an AI-co-authored commit to deliver crypto-stealing malware [3].

OpenAI Codex tokens stolen via functional npm package

Aikido Security researchers found that the codexui-android package, advertised as a remote web UI for OpenAI Codex with over 29,000 weekly downloads, contains code to exfiltrate authentication tokens [1]. The malicious code was added about a month after publication to build trust, extracting data from a local file to a server masquerading as Sentry [1]. The threat actor also distributed the malware through Android apps, including "OpenClaw Codex Claude AI Agent," which runs the npm package within a sandbox to capture credentials [1]. The package author claimed to have lost access to their account and denied sharing data, though WHOIS records link them to the exfiltration domain [1].

Broad campaigns target CI/CD pipelines and crypto wallets

In a separate campaign dubbed Mini Shai-Hulud, attackers compromised the npm maintainer account 'atool' to publish malicious versions of popular packages like timeago.js and echarts-for-react [2]. This attack affected roughly 639 versions across data visualization and React ecosystems, using payloads to scrape GitHub Actions memory for secrets and harvest credentials from cloud providers [2]. Meanwhile, the PromptMink campaign attributed to the North Korean group Famous Chollima utilized a package named @validate-sdk/v2 [3]. This package was added to an autonomous trading agent via a commit co-authored by Anthropic's Claude Opus, employing a two-layer strategy to steal sensitive data and access crypto funds over seven months [3].

Why it matters

These incidents highlight a growing trend of threat actors targeting real AI developer tooling and software supply chains to steal credentials and gain persistent access [1]. The attacks exploit trust in legitimate-looking packages and delays in credential revocation, allowing attackers to burrow deeper into cloud environments even after keys are deleted [1][2].