AI browser extensions
Is the OpenAI Codex Chrome extension safe?
OpenAI's Codex Chrome extension (launched May 2026) lets the Codex coding agent drive your real, signed-in Chrome - Gmail, internal tools and all. It requests read-and-change access to every website and your browsing history on every device. Here's what that means.
- Vendor
- OpenAI (official, launched May 2026)
- Type
- Codex coding agent driving your real Chrome profile
- Access
- All websites + browsing history on all devices
Is the OpenAI Codex Chrome extension safe?
The official OpenAI Codex Chrome extension is real and new, launched in May 2026. It lets the Codex coding agent act inside your actual Chrome profile - the one already signed into Gmail, Salesforce, LinkedIn and your internal tools - so it can test, reproduce and debug against real, authenticated web apps. That's powerful for developers, and it's also one of the broadest access grants any extension asks for.
Its permissions spell that out: it requests "read and change all your data on all websites" and "read and change your browsing history on all your signed-in devices". OpenAI mitigates this with domain allow and block lists and per-site confirmation, but the default capability is an AI agent operating with your full logged-in identity across the web. As with every agentic browser tool, the main threat is prompt injection: content in a page or web app steering the agent into actions you didn't intend.
Two extra cautions. First, because "Codex" is a breakout search term, expect impersonators, and the fake-AI-extension playbook (hundreds of thousands of installs stealing data) is well established. Install only through OpenAI's official Codex desktop-app flow, not a random Web Store result. Second, the confirmed Codex-branded attack so far wasn't a Chrome extension at all: a malicious npm package stole developers' Codex auth tokens. Protect the credentials, scope the agent, and scan what's in your browser.
What it can access
- Your real, signed-in Chrome profile - Gmail, Salesforce, internal tools and anywhere else you're authenticated
- Read and change data on every website you visit
- Read and change your browsing history across all your signed-in devices
- Actions on the page: driving web apps the way a developer would, under your identity
What to watch for
- Breadth: "all websites" plus "browsing history on all signed-in devices" is among the widest access any extension requests
- Prompt injection: an agent that reads and acts on web content can be steered by instructions hidden in that content
- Impersonators: "codex" is a breakout search, and fake AI extensions with hundreds of thousands of installs have stolen data - install only via OpenAI's official flow
- Token theft: a malicious npm package (Aikido) stole developers' Codex auth tokens from ~/.codex/auth.json - non-expiring credentials enabling long-term account impersonation
What OpenAI Codex Chrome extension can access, permission by permission
How to run Codex in Chrome without over-exposing yourself
The extension needs broad access to do its job. The goal is to scope it, protect the credentials, and keep impostors out.
- 1
Install only through OpenAI's official flow
Add it via the Codex desktop app's handshake, not a Web Store search for "codex". Given it's a breakout term, fake versions are the predictable next step.
- 2
Use domain allow and block lists
Restrict the agent to the sites the task actually needs. The narrower the domain scope, the less an injected instruction can reach.
- 3
Keep per-site confirmation on
Require confirmation for sensitive actions rather than letting the agent act freely across every authenticated tab.
- 4
Protect your Codex credentials
The confirmed Codex attack stole auth tokens from ~/.codex/auth.json via a malicious npm package. Guard that file, rotate tokens, and vet Codex-related packages before installing.
- 5
Inventory and scan every extension
Scan what's already in developers' browsers across the fleet, so a broad-access coding agent isn't sharing the browser with something that quietly reads the same pages.
The evidence behind this
“A malicious npm package posing as a remote Codex UI stole developers' Codex auth tokens - non-expiring credentials that enable long-term account impersonation.”
Aikido Security
The confirmed Codex-branded attack. The name is a lure across npm, Android and, inevitably, the Web Store.
“AI Browsers are trained to complete tasks, not to be security aware.”
SquareX Labs
The structural problem with any agent that acts inside your authenticated sessions.
“Featured, Verified extensions with hundreds of thousands of installs have quietly exfiltrated data. The store's badges don't watch what the code does at runtime.”
The AI Chat Scraping Wall of Shame
Our own research - why a polished "Codex" listing still needs a behavioural scan.
Frequently asked questions
Is there an official OpenAI Codex Chrome extension?
Yes. OpenAI launched an official Codex Chrome extension in May 2026. It lets the Codex agent operate your real Chrome profile so it can test and debug against authenticated web apps. It's installed by linking the Codex desktop app rather than a standalone Web Store install, which is a deliberate safeguard - so if a listing asks you to install a "Codex" extension directly from search, be suspicious.
What permissions does the Codex Chrome extension request?
Broad ones. It requests "read and change all your data on all websites" and "read and change your browsing history on all your signed-in devices". OpenAI adds domain allow and block lists and per-site confirmation on top. That's appropriate for a tool meant to drive real web apps, but it means the extension can, by default, act across everything you're logged into - so scope it deliberately.
Has anything Codex-branded been used in an attack?
Yes, though not as a Chrome extension so far. Security firm Aikido found a malicious npm package posing as a remote Codex UI that stole developers' Codex authentication tokens from ~/.codex/auth.json on install - non-expiring credentials that enable long-term account impersonation. It's a reminder that the Codex name will be abused across every install channel, so verify sources and protect your tokens.
Is it safe to let Codex drive my signed-in browser at work?
It can be, if you scope it. Limit the domains it can touch, keep confirmation on for sensitive actions, and don't point it at production admin consoles casually. Combine that with an inventory of every other extension in developers' browsers, since a broad-access agent sharing a browser with an unvetted extension is exactly the pairing that has gone wrong elsewhere.
See what every extension in your browser can actually access.
Free scan of your Google Workspace in under 48 hours.