Your AI Tools Are Leaking 🔑 — And So Is Your Instagram 🤖
Two stories today that hit close to home — one targeting developers who use AI coding tools, and one that could affect anyone with an Instagram account. If you use AI assistants at work or on your phone, keep reading.
🔑 That Popular AI Dev Tool Was Secretly Stealing Your Credentials
Researchers at Aikido Security discovered that codexui-android — an npm package with about 27,000 weekly downloads used to run OpenAI's Codex coding assistant — was quietly stealing users' login tokens in the background. Since version 0.1.82, the package was sending authentication credentials (including long-lived "refresh tokens" that don't expire) to an attacker-controlled server disguised as a legitimate analytics service. Even worse: the malicious code was hidden inside the published package but not visible in the public GitHub source code, making it nearly invisible to anyone doing a routine security review.
The same attacker also published Android apps on the Play Store that bundled the same malicious package. If you or anyone on your team installed this package, you should immediately revoke and rotate your OpenAI Codex credentials. This is a textbook supply chain attack — and a reminder that even popular, seemingly legitimate tools can be weaponized.
🤖 Hackers Are Tricking Meta's AI Into Handing Over Instagram Accounts
Attackers have found a clever way to hijack Instagram accounts using Meta's own AI support assistant. By spoofing their location with a VPN to match the target's region, they ask the AI to "link my new email address" for a specific @username. The AI — not realizing it's being manipulated — sends a password reset link to the attacker's email, handing over full account control. This technique is called "prompt injection," and it's quickly becoming one of the most dangerous attack methods in the AI era.
This attack requires no technical skill — just a VPN and knowledge of someone's username. Instagram accounts with large followings or linked business pages are especially at risk. For now, the best protection is enabling strong two-factor authentication and being skeptical of any unexpected password reset emails. Meta has not yet publicly confirmed a fix.
The threat landscape is evolving fast — especially as AI tools become part of everyday workflows. Stay ahead of threats with GOCO Security at gocosecurity.com.
.jpg)
Comments
Post a Comment