registry  /  @codexed/codex  /  0.144.4-codexed.2

@codexed/codex@0.144.4-codexed.2

<p align="center"><strong>Codex CLI</strong> is a coding agent from OpenAI that runs locally on your computer. <p align="center"> <img src="https://github.com/openai/codex/blob/main/.github/codex-cli-splash.png" alt="Codex CLI splash" width="80%" /> </p

AI Security Review

scanned 2h ago · by lpm-firewall-ai

On global npm install, the postinstall hook replaces existing `codex` launchers under the npm prefix without verifying ownership. No network or credential-exfiltration behavior is present in the inspected JavaScript source.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Global npm installation of `@codexed/codex`.
Impact
Can overwrite an existing `codex` command in the global prefix, creating command-collision or command-hijack risk.
Mechanism
postinstall launcher replacement and runtime local-binary spawn
Rationale
Source shows an install-time overwrite of globally named launchers, a concrete but package-aligned collision risk. No confirmed exfiltration, remote payload execution, AI-agent configuration mutation, or other malicious chain was found.
Evidence
package.jsonscripts/postinstall.mjsbin/codex.js${prefix}/bin/codex${prefix}/codex.cmd${prefix}/codex.ps1

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `scripts/postinstall.mjs` runs automatically on install.
  • Global installs delete `${prefix}/bin/codex` recursively, then replace it with a symlink.
  • Windows global installs overwrite `${prefix}/codex.cmd` and `${prefix}/codex.ps1`.
  • `bin/codex.js` spawns a platform binary supplied by an optional dependency.
Evidence against
  • Installer exits for non-global installs.
  • Lifecycle code only creates the package's `codex` launcher; no agent-config paths are referenced.
  • No network, credential harvesting, eval, dynamic code loading, or exfiltration appears in package source.
  • Launcher forwards user CLI arguments and inherited stdio to the selected local binary.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 8.82 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
dependencies registry_only=@codexed/codex-linux-arm64,@codexed/codex-linux-x64,@codexed/codex-win32-x64
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/codex.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @codexed/codex@0.142.4-codexed.1 matchedIdentity = npm:QGNvZGV4ZWQvY29kZXg:0.142.4-codexed.1 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/codex.jsView on unpkg

Findings

1 Critical2 High2 Medium2 Low
CriticalManifest Confusionpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltabin/codex.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem