The widely used Codex npm package misappropriated developer tokens for an entire month.

      TL;DRA widely used npm package for OpenAI Codex, boasting 29,000 weekly downloads, has been stealing developer authentication tokens for a month. This same credential-theft method has also been utilized in two Android apps with over 60,000 downloads combined.

      The npm package appeared to be legitimate, featuring an active GitHub repository, a consistent development history, and around 29,000 weekly downloads. For developers using OpenAI Codex, it provided exactly what it claimed: a remote web UI for the AI coding tool. However, for the past month, each call to codexui-android has been covertly reading the user’s Codex authentication file and transmitting it to a server controlled by an attacker. The stolen information includes access tokens, refresh tokens, ID tokens, and account IDs—everything necessary to impersonate the developer indefinitely. “The refresh_token doesn’t expire,” noted Aikido Security researcher Charlie Eriksen. “An attacker holding it can silently impersonate you indefinitely.”

      How it worked

      This attack was particularly sophisticated for an npm supply chain compromise. Unlike typical supply chain attacks that utilize typosquatting or disposable packages, codexui-android was a functioning tool actively under development. Its GitHub repository remained untainted. The malicious code existed solely within the npm build.

      The package extracts data from Codex’s ~/.codex/auth.json file, a plaintext credential cache created when a user logs into the Codex app, CLI, or IDE extension. It then transmits those credentials to sentry.anyclaw[.]store, a server name designed to mimic Sentry, the legitimate error-tracking platform.

      This harmful feature was introduced roughly a month after the package's initial publication, a common strategy to build user trust before deploying a malicious payload. WHOIS records indicate the exfiltration domain was registered on April 12, 2026, just two days after the first package version (0.1.72) was uploaded to npm. The malicious code emerged from version 0.1.82 onward.

      The same attack from the Play Store

      The npm package was not the sole method of delivery. Aikido discovered that an Android app called OpenClaw Codex Claude AI Agent, published by a developer named BrutalStrike, was running the same npm package within a PRoot sandbox on users' devices. This app had garnered over 50,000 downloads on Google Play.

      A second app by BrutalStrike, simply named Codex, had more than 10,000 downloads and included the same exfiltration method. Neither app specified a particular npm package version, causing them to automatically download the latest version, meaning mobile users were exposed to the malicious code as soon as it went live.

      The combined attack surface, with approximately 29,000 weekly npm downloads and more than 60,000 mobile installations, makes this one of the most significant credential-theft campaigns targeting the AI developer tooling ecosystem.

      The author’s changing narrative

      The npm account associated with the package belongs to "friuns," identified by Aikido as Igor Levochkin. When confronted on GitHub, the author first claimed to have lost access to the npm account and later modified their response to state they were “currently investigating this issue internally.”

      Levochkin asserted that no credential data was shared with third parties but did not clarify why the exfiltration code was only placed in the npm build or why access to users’ Codex tokens was necessary. The X profile linked to the account includes the domain anyclaw[.]store, the same destination to which the stolen tokens were sent.

      A growing trend

      This attack occurs during a time of increasing threats to AI developer tooling. Last month, a compromised VS Code extension accessed GitHub’s internal repositories, extracting 3,800 repositories after an employee installed the malicious package. This attack, attributed to TeamPCP, gathered credentials from 1Password vaults, Claude Code configurations, and AWS.

      The takeaway from both incidents is the same: As AI coding tools become crucial infrastructure, the authentication tokens they produce, often stored in plaintext, are becoming valuable targets. OpenAI’s documentation advises developers to treat ~/.codex/auth.json as a password. The codexui-android campaign exemplifies the consequences of ignoring this advice and trusting tools designed to exploit that trust.

      Additionally, Aikido reported that deleted Google API keys can remain active for up to 23 minutes after revocation, presenting a window for attackers to access user data and Gemini conversations. Google has classified this issue as a P0 bug, highlighting a broader concern: credential revocation in cloud environments is rarely as immediate as defenders believe.