OpenAI Codex Tokens Stolen in Active npm Supply Chain Attack Targeting 29,000 Weekly Downloads

TL;DR

What: The codexui-android npm package (v0.1.82+, 29,000 weekly downloads) and two Android apps by "BrutalStrike" silently exfiltrate OpenAI Codex tokens from ~/.codex/auth.json to attacker C2 sentry.anyclaw[.]store, active for 30+ days.
Impact: Stolen refresh_token values grant indefinite, silent impersonation of any compromised Codex account; 60,000+ additional Android installs extend the blast radius.
Fix / mitigation: Remove codexui-android immediately, revoke all Codex authentication tokens, rotate API keys, and block network connections to anyclaw[.]store.
Who's at risk: Any developer who installed codexui-android or the "OpenClaw Codex Claude AI Agent" / "Codex" Android apps and authenticated to OpenAI Codex.

A sophisticated supply chain attack targeting OpenAI Codex developers has compromised authentication tokens through a legitimate-appearing npm package with 29,000 weekly downloads. The codexui-android package, marketed as a remote web UI for OpenAI Codex, has been silently exfiltrating user credentials to attacker-controlled infrastructure for approximately 30 days, according to research from Aikido Security.

Unlike typical typosquatting campaigns, this attack embedded malicious code into a functional, actively developed package that delivered advertised features while simultaneously harvesting credentials. The associated GitHub repository remains clean, with malicious modifications exclusively present in the npm-published versions—a tactic designed to evade casual security reviews.

Attack Mechanics and Token Exfiltration

The malicious code targets Codex's authentication storage at ~/.codex/auth.json, extracting plaintext credentials including access tokens, refresh tokens, ID tokens, and account IDs. These credentials are transmitted to sentry.anyclaw[.]store, a domain masquerading as the legitimate Sentry monitoring platform. The threat actor introduced malicious code approximately one month after initial publication, likely calculating that delayed activation would build user trust and expand the attack surface before detection.

Researcher Charlie Eriksen emphasized the severity: "The refresh_token doesn't expire. An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface—it's persistent, silent access to whatever that account can do."

Immediate Action Required

If you've used codexui-android or the associated Android applications, revoke all Codex authentication tokens immediately. Check ~/.codex/auth.json for unauthorized access and rotate API keys. The refresh tokens do not expire automatically and provide indefinite account access.

Multi-Platform Campaign Extends to Mobile

The attack extends beyond npm to Android applications distributed by an entity named "BrutalStrike." Two compromised apps—OpenClaw Codex Claude AI Agent (50,000+ downloads) and Codex (10,000+ downloads)—execute the malicious npm package within PRoot sandboxes. The Android implementation extracts a Termux-derived Linux userland, runs Node.js inside the app's private storage, and pulls the latest npm package version without pinning, ensuring victims receive compromised code.

The Android attack chain operates through these steps:

User installs legitimate-appearing Android app from BrutalStrike
App extracts Linux userland into private storage and runs Node.js via PRoot
Unpinned npm package pulls latest malicious version (0.1.82 or later)
User authenticates to Codex within app, writing credentials to auth.json
Malicious package reads credentials from sandbox and exfiltrates to attacker server

The 26 MB APK appears clean on Google Play pre-publish scans, demonstrating how attackers circumvent automated security controls by deferring malicious functionality to dynamically loaded components.

Attribution and Infrastructure Analysis

The npm account "friuns" (Igor Levochkin) published the package, with exfiltration infrastructure at anyclaw[.]store. Domain registration records show anyclaw[.]store was created April 12, 2026—two days after the initial npm package version (0.1.72) appeared on npmjs.com. The author's X profile links directly to this domain, establishing clear infrastructure connection.

When confronted by Aikido Security, the package author posted contradictory responses on GitHub. Initial comments claimed lost npm account access before being edited to state they were "investigating this issue internally" and removing "affected functionality." The author denied sharing credential data with third parties but failed to explain why exfiltration code existed only in npm builds or why Codex token access was necessary for the package's stated functionality.

Broader Implications for AI Developer Security

This campaign represents an escalation in supply chain attacks targeting AI development workflows. Threat actors increasingly focus on AI developer tooling as organizations integrate large language models into software development pipelines. The attack demonstrates sophistication in timing malicious code injection, creating cross-platform delivery mechanisms, and exploiting trust in functional packages with active development.

Related: Google API Key Deletion Window

Aikido Security recently identified that deleted Google API keys remain valid for up to 23 minutes (median 16 minutes) due to distributed system propagation delays. Attackers with leaked keys can exploit this window to access Google Gemini and other APIs before revocation completes—a similar credential lifecycle vulnerability pattern.

OpenAI's documentation warns that ~/.codex/auth.json should be treated like passwords: "Don't commit it, paste it into tickets, or share it in chat." However, the plaintext storage model creates inherent risk when malicious code gains filesystem access, whether through compromised packages or mobile sandboxes.

Detection and Remediation

Organizations should immediately implement these measures:

Audit package.json files for codexui-android dependencies and remove immediately
Review mobile device management policies to detect OpenClaw Codex Claude AI Agent and Codex applications
Force rotation of all OpenAI Codex authentication tokens for affected developers
Monitor network connections to sentry.anyclaw[.]store and associated infrastructure
Implement dependency pinning and software composition analysis in CI/CD pipelines
Review access logs for Codex API usage during the 30-day compromise window

The codexui-android package remains available on npm at time of publication. IT security teams should implement registry blocking and conduct developer workstation scans for the compromised package and auth.json exfiltration. Mobile device management systems should block the identified Android applications and scan for the gptos.intelligence.assistant and codex.app package names.

Supply Chain Security Posture

This incident underscores fundamental supply chain security gaps that persist despite increased awareness. The attack succeeded through delayed malicious code injection, cross-platform delivery diversification, and exploiting the trust developers place in functional packages. Traditional security controls—GitHub repository scanning, Google Play automated analysis, and npm registry monitoring—all failed to detect the threat before significant distribution.

Security teams must assume breach in third-party dependencies and implement defense-in-depth controls including runtime application self-protection, network egress filtering, and credential lifecycle management. The shift toward AI-assisted development creates expanded attack surfaces as developers integrate new tooling without established security baselines. Threat actors recognize this opportunity and are actively developing campaigns targeting AI development workflows with increasing sophistication.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us