What Happened: A Functional npm Package Turned into a Credential Thief
The codexui-android incident is a malicious software supply chain attack in which a legitimate, actively developed npm package was turned into a credential-stealing tool that exfiltrated OpenAI Codex authentication tokens from developers, enabling persistent unauthorized access to their accounts and highlighting systemic weaknesses in npm package security and developer security practices. Cybersecurity researchers at Aikido Security found that codexui-android, a remote web UI for OpenAI Codex with over 29,000 weekly downloads, has been quietly stealing tokens since version 0.1.82. Unlike classic typosquatting, the package is functional and promoted through a real GitHub repository that remains clean, while only the npm build contains the malicious code. This code reads the ~/.codex/auth.json file and sends access_token, refresh_token, id_token, and account ID to sentry.anyclaw.store, a domain posing as a Sentry endpoint. The npm account behind the package is linked to the user “friuns” (also known as Igor Levochkin).
How Tokens Were Stolen and Why the Risk Is Persistent
The attack targets how Codex stores credentials locally. When a user signs in via the Codex app, CLI, or IDE extension with ChatGPT or an API key, the details are cached in plaintext at ~/.codex/auth.json or the OS credential store. OpenAI’s own guidance warns: “If you use file-based storage, treat ~/.codex/auth.json like a password: it contains access tokens.” The compromised codexui-android package reads this file, extracts the full OAuth blob, and exfiltrates it to sentry.anyclaw.store/startlog, which impersonates Sentry. The captured refresh_token is the most dangerous part; Aikido researcher Charlie Eriksen notes that “the refresh_token doesn't expire,” meaning attackers can silently impersonate affected developers for a long time. This is not limited to web chat access; it can extend to whatever actions the Codex account can perform, turning one dependency into a durable backdoor.
Beyond npm: Android Apps and the Wider Supply Chain Attack Surface
The malicious npm package is only one part of a wider supply chain attack targeting Codex developers. Aikido identified an Android app named OpenClaw Codex Claude AI Agent (package: gptos.intelligence.assistant) that wraps a Termux-derived Linux userland and runs Node.js via PRoot inside the app’s private storage. On first run, the app pulls the latest codexui-android version from npm without pinning, then uses it to handle in-app Codex sign-in. Once the user authenticates, the same exfiltration chain reads auth.json and sends credentials to sentry.anyclaw.store. This app, released by an entity called BrutalStrike, has over 50,000 downloads; a second app named Codex (package: codex.app) with over 10,000 downloads shows the same behavior, while three other apps from the developer appear clean. This pattern underscores how a single malicious package can propagate into multiple platforms, magnifying the impact of a developer-focused supply chain attack.
Who Is Affected and What You Must Do Immediately
Any developer who installed or used codexui-android version 0.1.82 or later, either directly from npm or indirectly via the OpenClaw Codex Claude AI Agent or Codex Android apps, should assume their Codex tokens may have been exposed. Immediate protective steps are essential for npm package security and developer security. First, uninstall codexui-android and remove any dependent Android apps from your devices. Next, revoke and rotate all Codex-related tokens and credentials, including refresh tokens, API keys, and any linked authentication methods. Review recent Codex account activity and connected services for signs of unauthorized use, such as unexpected requests or configuration changes. Finally, audit your dependency lists and lockfiles to confirm no shadow use of codexui-android remains. Because the refresh_token allows long-lived impersonation, prompt token rotation is the most urgent action.
Lessons for Developers: Hardening npm Package Security and Credential Handling
This incident shows how modern authentication token theft exploits both code distribution and credential management gaps. Developers should pin dependency versions, monitor security advisories, and treat any package that handles authentication as high risk, even if it appears well-maintained. Use minimal, vetted dependencies for security-sensitive paths and favor official clients where possible. Store tokens in secure OS credential stores rather than plaintext files whenever the platform allows, and treat files such as ~/.codex/auth.json as secrets that must never be committed, shared, or copied into logs. More broadly, assume delayed credential revocation can occur, as seen in related findings about brief windows where deleted cloud keys remain usable. Integrate automated secret rotation and anomaly detection into your workflows so that a compromised package cannot silently maintain access. Strengthening npm package security and credential hygiene together is essential to resist similar supply chain attacks.
