What the codexui-android Supply Chain Attack Is
The codexui-android supply chain attack is a malicious modification of a widely used npm package and related Android apps that silently exfiltrate OpenAI Codex authentication tokens from developers’ systems, granting attackers persistent, unauthorized access to affected Codex accounts and any connected tools or workflows that rely on those stolen credentials. Unlike classic typosquatting, this campaign abuses a legitimate-looking remote web UI for Codex, downloaded more than 29,000 times per week and actively developed in public. The GitHub repository appears clean, while the npm build contains hidden exfiltration logic, underscoring how npm package security can be undermined in the publishing pipeline itself. For impacted developers, this is not only about one compromised library; it is a direct compromise of identity, access, and trust in their development environment.
How Tokens Were Stolen: Inside the Malicious Code
In the compromised npm versions, codexui-android includes code that reads the Codex authentication file at ~/.codex/auth.json and sends its contents to an attacker-controlled endpoint, sentry.anyclaw[.]store, which imitates a legitimate monitoring service. The stolen data includes access_token, refresh_token, id_token, and the account ID. According to Aikido Security researcher Charlie Eriksen, “every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server.” The most severe impact comes from the refresh_token: it does not expire, meaning attackers who hold it can impersonate a developer’s Codex account indefinitely unless the credentials are revoked. OpenAI’s own guidance states that ~/.codex/auth.json should be treated like a password, since it stores sensitive tokens in plaintext on disk whenever users log in through the Codex app, CLI, or IDE extensions.
Android Apps and Persistent Unauthorized Access
The npm package is only one part of the attack chain. Aikido researchers found an Android app, OpenClaw Codex Claude AI Agent (package: gptos.intelligence.assistant), which has more than 50,000 downloads and runs codexui-android inside a PRoot sandbox. On first launch, the app loads a Termux-derived Linux environment and runs Node.js, dynamically pulling the latest codexui-android from npm. Since the exfiltration has been in place since codexui-android@0.1.82, any in-app Codex sign-in writes auth.json inside the sandbox, where the malicious package reads and ships the full OAuth blob to sentry.anyclaw.store/startlog. A second app named Codex (package: codex.app), with over 10,000 downloads, uses the same mechanism, while three other apps from the same developer do not. This architecture enables silent, repeatable theft of developer credentials and persistent unauthorized access.
Why npm Supply Chain Attacks Are So Dangerous
This incident shows how a realistic supply chain attack can grow silently inside everyday tooling. The codexui-android package built trust by shipping a functional Codex UI and then, about a month after first publication, introduced hidden exfiltration code into the npm build while leaving the GitHub repository clean. The npm account “friuns” is tied to a domain, anyclaw[.]store, registered shortly after the first package release, suggesting planning rather than opportunistic tampering. For developers, the danger is twofold: trusted dependencies turn into credential theft channels, and token-based auth means stolen refresh tokens translate to deep, long-lived access. At the same time, separate research from Aikido shows that credential revocation delays—like live Google API keys staying valid for a median of 16 minutes after deletion—extend the window attackers can keep abusing leaked developer credentials and cloud access.
Immediate Actions for Developers: Contain, Rotate, Monitor
Developers who installed or used codexui-android since version 0.1.82, or who authenticated through the linked Android apps, should treat their Codex credentials as compromised. First, revoke all Codex tokens: log out from the Codex app, CLI, and IDE extensions, invalidate any active sessions, and regenerate new access and refresh tokens where possible. Remove codexui-android from your projects and uninstall the suspicious Android apps; do not rely on package updates alone. Next, audit your systems for npm package security issues: review dependency lists, lockfiles, and CI images for references to codexui-android, and rebuild from clean sources. Finally, monitor account activity for signs of authentication token theft, including unfamiliar logins, unexpected Codex usage, or API calls you did not initiate. Extend this review to any other developer credentials that might have been stored or cached on the same machines.
