Popular OpenAI Codex tool with 29,000 weekly downloads exposed in npm supply chain attack

Attack targeting OpenAI Codex users exposes AI software supply chain risks

The incident highlights how attackers can hide malicious code in software packages that differ from the source code available for review. A malicious npm package posing as a remote user interface for OpenAI Codex exfiltrated developer authentication tokens, after attackers allegedly published code to npm that was not visible in the project's public GitHub repository. Researchers at Aikido said the package, called codexui-android, appeared to offer legitimate functionality while collecting authentication tokens and sending them to an external server.

OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack

Cybersecurity researchers have disclosed details of a new malicious supply chain campaign that's targeting developers using OpenAI Codex through a legitimate-looking remote web UI. The tool, named codexui-android, is advertised on GitHub and npm as a remote web UI for OpenAI Codex, attracting over 29,000 weekly downloads. The package is still available for download from the repository. What makes this activity noteworthy is that it's not a traditional attack that uses a typosquat or throwaway package to trick developers. Rather, the malicious code is embedded into a functional npm package that has undergone active development. The associated GitHub repository remains clean. "And for the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server," Aikido Security researcher Charlie Eriksen said. The nefarious changes are said to have been introduced about a month after the package was published to the registry, likely in an effort to build user trust and expand its reach. The npm account associated with the package is "friuns" (aka Igor Levochkin). Present within the package is code that extracts the contents of Codex's "~/.codex/auth.json" file and exfiltrates them to a remote server ("sentry.anyclaw[.]store") that masquerades as Sentry, a legitimate application monitoring and error tracking platform. The captured data includes the following details: access_token, refresh_token, id_token, and account ID. "The refresh_token doesn't expire," Eriksen said. "An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface -- it's persistent, silent access to whatever that account can do." It's worth mentioning here that every time a user logs in to the Codex app, CLI, or IDE Extension using either ChatGPT or an API key, the login details are cached locally in a plaintext file at ~/.codex/auth.json or in the operating system-specific credential store. "If you use file-based storage, treat ~/.codex/auth.json like a password: it contains access tokens," OpenAI warns in its support documentation. "Don't commit it, paste it into tickets, or share it in chat." Interestingly, the npm package is far from the only delivery vector the threat actor uses to target Codex developers. Aikido said it observed an Android application named OpenClaw Codex Claude AI Agent (package name: "gptos.intelligence.assistant") that runs the npm package within its PRoot sandbox and sends the Codex credentials to the same endpoint. "The APK itself is small (26 MB) and looks clean on a Play pre-publish scan," Eriksen explained. "On first run, it extracts a Termux-derived Linux userland into the app's private storage and runs Node.js inside it via PRoot." "The version is not pinned, so the device pulls whatever is currently published on npm. The exfiltration has been in place since [email protected]. The package runs inside the app's PRoot sandbox, where the in-app Codex sign-in writes its auth.json. Once the user signs in, the package reads that file out of the sandbox and ships the full OAuth blob to sentry.anyclaw.store/startlog." Released by an entity named "BrutalStrike," the Android app has more than 50,000 downloads. The same exfiltration chain has also been flagged in a second Android app linked to BrutalStrike: Codex (package name: "codex.app"), which has been downloaded over 10,000 times. The remaining three apps offered by the developer do not contain the functionality. Upon reaching out to the package author on GitHub, Aikido said they initially posted a comment stating they had lost access to their npm account, only to edit the response and post a different one in which they claimed they are "currently investigating this issue internally" and that they "have started removing the affected functionality and related data." The author further claimed no credential data was shared with any third parties, without answering why this code was inserted only into the npm package build or why they needed access to the Codex tokens in the first place. The X profile linked to the author includes the domain "anyclaw[.]store." WHOIS records indicate that the domain was registered on April 12, 2026, just two days after the very first version of the npm package (version 0.1.72) was uploaded to npmjs[.]com. The development comes as threat actors are increasingly targeting real artificial intelligence (AI) developer tooling and workflows to steal credentials and burrow deeper into the software supply chain. Late last month, the Belgian security company also found that a deleted Google API key remains live for up to 23 minutes, a window that an attacker with access to a leaked key can take advantage of to gain access to user data and other APIs, including those related to Google Gemini. The median revocation window is around 16 minutes. "An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up," researcher Joe Leon said. "If Gemini is enabled on the project, they can dump files you have uploaded and exfiltrate cached conversations." Although Google first opted not to fix the issue, stating it's a "known property of the system and not a security issue," the tech giant has since decided to treat it as a P0 bug, making it a severe issue that "needs to be addressed immediately." The findings, as with a similar 4-second exploitation window previously observed with deleted Amazon Web Services (AWS) access keys, highlight how credential revocation delays are exploitable and can be used to gain unauthorized access to the cloud environments, while defenders assume the credentials have been revoked.

Popular Codex npm package stole developer tokens for a month

A popular npm package for OpenAI Codex with 29,000 weekly downloads has been stealing developer authentication tokens for a month. The same credential-theft chain also ran through two Android apps with over 60,000 combined downloads. The npm package looked legitimate. It had an active GitHub repository, steady development history, and roughly 29,000 weekly downloads. For developers using OpenAI Codex, it offered exactly what it advertised: a remote web UI for the AI coding tool. But for the past month, every invocation of codexui-android has also been silently reading the contents of the user's Codex authentication file and shipping it to an attacker-controlled server. The stolen data includes access tokens, refresh tokens, ID tokens, and account IDs, everything needed to impersonate the developer indefinitely. "The refresh_token doesn't expire," Aikido Security researcher Charlie Eriksen wrote. "An attacker holding it can silently impersonate you indefinitely." How it worked The attack was unusually sophisticated for an npm supply chain compromise. Unlike typical supply chain attacks that rely on typosquatting or disposable packages, codexui-android was a functional tool under active development. Its GitHub repository remained clean. The malicious code existed only in the npm build. The package extracts the contents of Codex's file, a plaintext credential cache created whenever a user logs in via the Codex app, CLI, or IDE extension. It then sends those credentials to , a server name chosen to mimic Sentry, the legitimate error-tracking platform. The nefarious functionality was introduced approximately a month after the package was first published, a common tactic for building user trust before deploying a payload. WHOIS records show the exfiltration domain was registered on 12 April 2026, just two days after the first package version (0.1.72) was uploaded to npm. The malicious code appeared from version 0.1.82 onward. The same attack, from the Play Store The npm package was not the only delivery vector. Aikido found that an Android application called OpenClaw Codex Claude AI Agent, published by a developer named BrutalStrike, was running the same npm package inside a PRoot sandbox on users' devices. The app had accumulated more than 50,000 downloads on Google Play. A second BrutalStrike app, simply called Codex, had over 10,000 downloads and contained the same exfiltration chain. Because neither app pinned a specific npm package version, they automatically pulled whatever was currently published, meaning the malicious code was delivered to mobile users the moment it went live. The combined attack surface, roughly 29,000 weekly npm downloads plus more than 60,000 mobile installations, makes this one of the more significant credential-theft campaigns to target the AI developer tooling ecosystem. The author's shifting story The npm account behind the package belongs to "friuns," identified by Aikido as Igor Levochkin. When confronted on GitHub, the author initially claimed to have lost access to the npm account, then edited the response to say they were "currently investigating this issue internally." Levochkin said no credential data was shared with third parties, but did not explain why the exfiltration code was inserted only into the npm build, or why access to users' Codex tokens was needed in the first place. The X profile linked to the account includes the domain anyclaw[.]store, the same domain to which the stolen tokens were sent. A growing pattern The attack arrives in a period of escalating threats to AI developer tooling. Last month, a poisoned VS Code extension breached GitHub's own internal repositories, exfiltrating 3,800 repos after an employee installed the malicious package. That attack, attributed to the group TeamPCP, harvested credentials from 1Password vaults, Claude Code configurations, and AWS. The lesson from both incidents is the same. As AI coding tools become essential infrastructure, the authentication tokens they generate, and often store in plaintext, are becoming high-value targets. OpenAI's own documentation warns developers to treat like a password. The codexui-android campaign is a demonstration of what happens when that advice goes unheeded, and when the tools developers trust are designed to exploit that trust. Aikido has also separately reported that deleted Google API keys remain live for up to 23 minutes after revocation, a window attackers can exploit to access user data and Gemini conversations. Google has since classified the issue as a P0 bug. The finding underscores a broader problem: credential revocation in cloud environments is rarely as instant as defenders assume.

OpenAI Codex tool with over 29,000 downloads linked to malicious npm supply chain attack stealing authentication tokens

* Researchers uncovered a malicious npm package posing as a Codex UI tool * Attackers exfiltrated Codex authentication tokens, including non‑expiring refresh tokens * Aikido Security also found two Android apps targeting Codex users A newly discovered supply-chain attack on npm is targeting software developers using OpenAI Codex. Codex is OpenAI's coding assistant and software engineering agent that can write and review code, fix bugs, run tests, and help developers build software with nothing but plain language input. Recently it was discovered that a tool published on both GitHub and npm was actually malicious. It is called "codexui-android", and it is described as a remote web user interface for the Codex platform. It attracted more than 29,000 weekly downloads, so it was rather popular. One of the reasons for its popularity is because it worked as advertised and appeared legitimate. The code published on GitHub remained "clean" the whole time, meaning the public source code didn't show any malicious behavior. Breaking bad However, approximately a month into its existence, the tool received an update on npm which added information-stealing code. It primarily hunted for OpenAI login credentials. When a developer runs the tool, it looks for their Codex authentication tokens and exfiltrates them to an attacker-controlled server. One of the tokens (the refresh token) can potentially allow an attacker to continue accessing the victim's OpenAI account for an extended period of time without needing the password. The implications are rather dangerous, explained Aikido Security researcher Charlie Eriksen, who found and disclosed the attack. Besides the obvious - accessing the victim's Codex sessions - the attacker can use the tokens to spend the victim's API credits, to view projects or code they're working on through Codex, and even impersonate the victim when interacting with OpenAI services. "The refresh_token doesn't expire," Eriksen said. "An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface -- it's persistent, silent access to whatever that account can do." Aikido also said it saw two Android apps, both published by the same account, who were also targeting Codex users. One is called OpenClaw Codex Claude AI Agent, running the npm package within its PRoot sandbox and sending all Codex credentials to the same, attacker-controlled server. This one had more than 50,000 downloads. The other one is called Codex and counts more than 10,000 downloads. Via The Hacker News Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.