Popular Codex package caught exfiltrating authentication credentials

Researchers uncovered a malicious supply chain attack using a fake OpenAI Codex web UI called codexui-android that steals authentication tokens.