What Happened
A malicious npm package posing as a remote user interface for OpenAI Codex has been found to exfiltrate developer authentication tokens. Researchers at Aikido discovered the package, called codexui-android, which appeared to offer legitimate functionality while collecting authentication tokens and sending them to an external server. This incident reflects a broader pattern in which attackers build credible and useful projects as cover for malicious activity.
In a separate incident, researchers at Obsidian Security have detailed a one-click remote code execution (RCE) vulnerability affecting self-hosted Flowise deployments through its implementation of Model Context Protocol (MCP) stdio servers. The problem is essentially a sandboxing failure of attacker-controlled MCP configurations, leading to server-side code execution.
Meanwhile, Microsoft has addressed an incident preventing customers from setting up multi-factor authentication (MFA) or accessing the My Sign-Ins platform. The company has also resolved a known issue causing installation failures and 0x800f0922 errors when deploying the May 2026 Windows 11 security update (KB5089549).
Why It Matters
These incidents highlight the security risks associated with AI software supply chains and the importance of secure authentication and update processes. The malicious package targeting OpenAI Codex users demonstrates the potential for attackers to gain persistent and silent access to developer accounts. The vulnerability in Flowise's MCP implementation underscores the need for secure sandboxing and input validation in AI development platforms.
The outages affecting Microsoft's MFA and Windows updates also emphasize the importance of reliable authentication and update processes. The incidents may have significant consequences for users and organizations relying on these services.
What Experts Say
"AI developer tooling is becoming a high-value target precisely because the tokens are powerful and long-lived," said Aikido. "A stolen Codex refresh_token goes beyond access to a chat interface — it's persistent, silent access to whatever that account can do."
Key Facts
- Who: OpenAI, Flowise, Microsoft
- What: Malicious package, vulnerability, outages
- Impact: Security risks, authentication and update disruptions
What Comes Next
As the use of AI and cloud services continues to grow, it is essential for organizations and individuals to prioritize security and authentication. This includes implementing secure development practices, monitoring for vulnerabilities, and ensuring reliable update processes. Users should also be cautious when installing packages and updates, and report any suspicious activity to the relevant authorities.
What Happened
A malicious npm package posing as a remote user interface for OpenAI Codex has been found to exfiltrate developer authentication tokens. Researchers at Aikido discovered the package, called codexui-android, which appeared to offer legitimate functionality while collecting authentication tokens and sending them to an external server. This incident reflects a broader pattern in which attackers build credible and useful projects as cover for malicious activity.
In a separate incident, researchers at Obsidian Security have detailed a one-click remote code execution (RCE) vulnerability affecting self-hosted Flowise deployments through its implementation of Model Context Protocol (MCP) stdio servers. The problem is essentially a sandboxing failure of attacker-controlled MCP configurations, leading to server-side code execution.
Meanwhile, Microsoft has addressed an incident preventing customers from setting up multi-factor authentication (MFA) or accessing the My Sign-Ins platform. The company has also resolved a known issue causing installation failures and 0x800f0922 errors when deploying the May 2026 Windows 11 security update (KB5089549).
Why It Matters
These incidents highlight the security risks associated with AI software supply chains and the importance of secure authentication and update processes. The malicious package targeting OpenAI Codex users demonstrates the potential for attackers to gain persistent and silent access to developer accounts. The vulnerability in Flowise's MCP implementation underscores the need for secure sandboxing and input validation in AI development platforms.
The outages affecting Microsoft's MFA and Windows updates also emphasize the importance of reliable authentication and update processes. The incidents may have significant consequences for users and organizations relying on these services.
What Experts Say
"AI developer tooling is becoming a high-value target precisely because the tokens are powerful and long-lived," said Aikido. "A stolen Codex refresh_token goes beyond access to a chat interface — it's persistent, silent access to whatever that account can do."
Key Facts
- Who: OpenAI, Flowise, Microsoft
- What: Malicious package, vulnerability, outages
- Impact: Security risks, authentication and update disruptions
What Comes Next
As the use of AI and cloud services continues to grow, it is essential for organizations and individuals to prioritize security and authentication. This includes implementing secure development practices, monitoring for vulnerabilities, and ensuring reliable update processes. Users should also be cautious when installing packages and updates, and report any suspicious activity to the relevant authorities.