registry  /  @codexed/codex  /  0.142.4-codexed.1

@codexed/codex@0.142.4-codexed.1

<p align="center"><strong>Codex CLI</strong> is a coding agent from OpenAI that runs locally on your computer. <p align="center"> <img src="https://github.com/openai/codex/blob/main/.github/codex-cli-splash.png" alt="Codex CLI splash" width="80%" /> </p

AI Security Review

scanned 15d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Global installation activates a lifecycle script that forcibly replaces the codex launcher in the npm prefix. This can hijack the AI-agent command surface for users expecting the official Codex CLI.

Static reason
One or more suspicious static signals were detected.
Trigger
npm global install of @codexed/codex
Impact
The codex command can be redirected to @codexed-controlled platform binaries instead of an existing or official Codex installation.
Mechanism
postinstall launcher replacement and native binary delegation
Policy narrative
On global install, the postinstall script resolves the npm prefix, deletes any existing codex launcher, and replaces it with a symlink or Windows wrapper to this package's bin/codex.js. The bin then locates and spawns @codexed platform binaries. The README presents official OpenAI Codex installation guidance, creating a credible path for users to install a lookalike package that takes over the codex command.
Rationale
The inspected source shows concrete install-time mutation of the global Codex AI-agent launcher by a non-official-looking package, with no need for user invocation beyond installation. Although there is no credential exfiltration in these files, the unconsented control-surface replacement is sufficient to block. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall.mjsbin/codex.jsREADME.md<npm prefix>/bin/codex<npm prefix>/codex.cmd<npm prefix>/codex.ps1

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs runs only on global installs then removes and replaces prefix bin launcher paths
  • scripts/postinstall.mjs writes codex.cmd/codex.ps1 on Windows and symlinks prefix/bin/codex on POSIX
  • bin/codex.js exposes bin name codex and spawns a platform native binary from @codexed optional packages
  • README.md instructs installing official @openai/codex while this package is @codexed/codex
Evidence against
  • No source-level credential harvesting or secret file reads found
  • No runtime network code found in package source
  • Postinstall is limited to global install detection and launcher replacement
  • Only four package files are present and all were inspected
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 7.44 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
dependencies registry_only=@codexed/codex-linux-arm64,@codexed/codex-linux-x64,@codexed/codex-win32-x64
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 Critical1 High2 Medium2 Low
CriticalManifest Confusionpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem