What the Codex npm Supply Chain Attack Is and Why It Matters
The Codex npm supply chain attack is a malicious campaign where a seemingly legitimate npm package and Android apps silently steal OpenAI Codex authentication tokens from developers, giving attackers long-term access to their accounts and any connected applications. Unlike classic typo-squatting, the codexui-android package is a real, functional remote web UI for Codex, advertised on GitHub and npm with over 29,000 weekly downloads. Researchers found that a month after publication, new code was added to read Codex’s ~/.codex/auth.json file and send access_token, refresh_token, id_token, and account ID to an attacker-controlled server posing as Sentry. The attack specifically targets mobile developers who sign in to Codex via bundled tooling or Android apps, turning a trusted dependency into a credential exfiltration channel that can persist even if the initial compromise is removed.
How Codex Tokens Were Stolen from npm and Android Apps
In codexui-android, the malicious logic extracts Codex credentials from the local auth.json file and exfiltrates them to sentry.anyclaw.store, a domain that pretends to be a monitoring service. Aikido Security researcher Charlie Eriksen reported that “for the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server.” The captured data includes access and refresh tokens, which Codex stores locally when users log in via the CLI, IDE extensions, or the Codex app. The same attacker also shipped an Android app, OpenClaw Codex Claude AI Agent, which pulls the npm package into a Termux-derived Linux environment and runs Node.js via PRoot. Once a user signs in, the in-app Codex login writes auth.json, the package reads it, then sends the full OAuth blob to the same endpoint, extending the npm supply chain attack into mobile environments.
Persistent Account Takeover and Risks to Mobile App Security
The core danger of this npm supply chain attack is persistent account takeover. Codex refresh tokens do not expire by default; if an attacker holds one, they can impersonate a developer silently and indefinitely, even if the original device is wiped or the npm package is removed. Eriksen warned that “a stolen Codex refresh_token goes beyond access to a chat interface — it’s persistent, silent access to whatever that account can do.” For mobile developers, that can include deploying new builds, calling internal APIs, or accessing user-uploaded files and cached conversations through integrated AI services. Because the exfiltration happens in the background each time the package or app runs, authentication token theft may remain undetected while attackers test stolen credentials, create new tokens, or integrate access into broader intrusion campaigns targeting CI/CD pipelines, app backends, and third-party APIs.
Why npm Supply Chain Attacks Are a Critical Threat for Mobile Developers
Mobile teams depend heavily on npm packages for tooling, APIs, and auxiliary services, so a single malicious dependency can spread through thousands of applications. The codexui-android case shows that attackers no longer rely only on throwaway typo-squats; they compromise real, actively developed packages that gain trust before silently exfiltrating developer credentials. The Android apps linked to the same threat actor, including OpenClaw Codex Claude AI Agent and Codex, download and run the npm package dynamically, extending the compromise to devices with more than 60,000 combined installs. At the same time, research into Google API keys and AWS access keys has shown that revocation can lag for minutes, leaving short but exploitable windows even after developers delete keys. This means that mobile app security now hinges as much on dependency hygiene and token handling as on traditional secure coding practices.
Immediate Steps: Auditing, Rotating Tokens, and Monitoring APIs
Developers who used codexui-android from version 0.1.82 onward, or the related Android apps, should assume their Codex authentication tokens and developer credentials are exposed. First, uninstall or disable the affected npm package and Android apps from build systems and development devices. Next, rotate all Codex tokens: revoke existing access and refresh tokens, reauthenticate using trusted channels, and update any CI/CD secrets or environment variables that stored those tokens. Treat ~/.codex/auth.json like a password and ensure it is never committed, shared, or left in logs. Then, enable detailed logging and monitoring for Codex and related API activity to spot unusual requests, new tokens, or suspicious IP addresses. Finally, add regular dependency audits, signed package verification where possible, and automated alerts for new or changed packages in your stack, so future npm supply chain attacks are detected before they reach production.
