LIVE THREATS
MEDIUM Python package 'llm-openai-via-codex 0.1a0' hijacks Codex CLI // CRITICAL LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure // HIGH Show HN: Browser Harness – Gives LLM freedom to complete any browser task // CRITICAL Paloalto's Zealot successfully attacks misconfigured cloud environments // HIGH Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign // HIGH Bad Memories Still Haunt AI Agents // CRITICAL ChatGPT's code runtime silently exfiltrates user data via malicious prompt // HIGH Claude's Mythos rival: Chinese Cybersecurity Firm claims finding 1000 vulnerabilities // CRITICAL Vertex AI agents can be weaponized to steal GCP service credentials // CRITICAL Project Glasswing Proved AI Can Find the Bugs. Who's Going to Fix Them? //
ATLAS OWASP MEDIUM Moderate risk · Monitor closely LLM Security Supply Chain Industry News RELEVANCE ▲ 6.5

Python package 'llm-openai-via-codex 0.1a0' hijacks Codex CLI

SOURCE Simon Willison ↗
TL;DR MEDIUM
  • What happened: New tool hijacks Codex CLI credentials to access OpenAI models via an unofficial backdoor API endpoint.
  • Who's at risk: Organisations and individuals with Codex CLI installed are at risk of credential misuse and unauthorised API quota consumption.
  • Act now: Audit Codex CLI credential storage and restrict file permissions on token files · Monitor OpenAI API usage for anomalous requests originating outside expected tooling · Avoid installing unvetted third-party LLM plugins that request access to existing CLI credentials
Python package 'llm-openai-via-codex 0.1a0' hijacks Codex CLI

Overview

On 23rd April 2026, Simon Willison published a release note for llm-openai-via-codex 0.1a0, a plugin for his llm CLI tool that explicitly ‘hijacks’ stored Codex CLI credentials to make API calls to OpenAI models via an unofficial or semi-official endpoint. The package is described as accessing OpenAI models through an existing Codex subscription, effectively bypassing the standard OpenAI API key mechanism. While framed as a developer convenience tool, the technique introduces meaningful security concerns around credential reuse, unofficial API surfaces, and supply chain trust.

Technical Analysis

The plugin works by reading locally stored credentials from the Codex CLI — likely a token or session file written to disk during Codex CLI authentication. It then uses these credentials to authenticate requests to an undocumented or semi-official OpenAI API endpoint, allowing users to access models such as GPT-5.5 without a separate API key or billing relationship.

This pattern involves several risk factors:

  • Credential file access: The plugin must read credential material from the local filesystem, which may be stored with insufficiently restrictive permissions.
  • Unofficial API endpoint: Use of a non-standard API surface means requests may bypass rate limiting, audit logging, or usage controls that OpenAI applies to its standard API.
  • Third-party package trust: Users installing this package are trusting it not to exfiltrate credential material to third parties — a trust assumption that is difficult to verify without source audit.
# Conceptual install and usage
pip install llm-openai-via-codex
llm -m openai-via-codex "Tell me about adversarial ML"

Framework Mapping

  • AML.T0012 (Valid Accounts): The technique explicitly leverages legitimately obtained Codex credentials to gain access to AI model inference, fitting the ATLAS definition of abusing valid accounts.
  • AML.T0040 (ML Model Inference API Access): The tool’s core function is to obtain inference access to OpenAI models through a non-sanctioned pathway.
  • AML.T0010 (ML Supply Chain Compromise): Distribution via a public package index with credential-handling capabilities represents a supply chain risk vector.
  • LLM05 (Supply Chain Vulnerabilities): Third-party plugins that handle authentication credentials introduce supply chain exposure for LLM tooling ecosystems.
  • LLM06 (Sensitive Information Disclosure): Credential files accessed by the plugin could be exfiltrated if the package were malicious or compromised.

Impact Assessment

The immediate impact is low for most individual users experimenting with the tool in good faith. However, the technique normalises credential hijacking as an acceptable developer pattern, which could lower the bar for malicious actors to publish similar packages with credential-exfiltration payloads. Enterprise users with Codex CLI deployed at scale face a higher risk of credential theft or quota abuse if similar packages proliferate on package indexes.

OpenAI also faces reputational and operational risk from unofficial API endpoints being publicly documented and exploited for subscription arbitrage.

Mitigation & Recommendations

  1. Audit Codex CLI credential storage: Review where tokens are stored and apply strict filesystem permissions (chmod 600).
  2. Monitor API usage: Use OpenAI’s usage dashboard to detect anomalous request volumes not attributable to known tooling.
  3. Vet third-party LLM plugins: Before installing any plugin that interacts with existing credentials, review source code or use a sandboxed environment.
  4. Organisational policy: Restrict installation of unvetted packages in environments where Codex CLI or similar tools are deployed with production credentials.

References