OpenAI Codex Tokens Are Being Silently Stolen Through a Trusted npm Package with 29,000 Weekly Downloads

A functional npm package with 29,000 weekly downloads has been silently exfiltrating OpenAI Codex authentication tokens for over a month. The stolen refresh tokens do not expire, giving attackers indefinite, silent access to any compromised account.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region5 min read
Developer workstation displaying npm package installation and a red security alert representing the OpenAI Codex authentication token theft via codexui-android supply chain attack

Developer workstation displaying npm package installation and a red security alert representing the OpenAI Codex authentication token theft via codexui-android supply chain attack

A widely used npm package has been secretly stealing OpenAI Codex authentication tokens from developers for at least a month, in one of the more sophisticated AI developer supply chain attacks disclosed in 2026.

The package, named codexui-android, is advertised on both GitHub and npm as a remote web UI for OpenAI Codex. It attracts over 29,000 weekly downloads and has undergone active, legitimate development, making it significantly harder to detect than a throwaway typosquatting package. The associated GitHub repository remains clean. The malicious code lives exclusively in the npm build.

The attack was uncovered by Aikido Security researcher Charlie Eriksen, who found that every invocation of the package since approximately version 0.1.82 has been silently extracting the contents of the developer's local Codex authentication file (stored at ~/.codex/auth.json) and forwarding them to an attacker-controlled server hosted at sentry.anyclaw[.]store, a domain deliberately crafted to impersonate Sentry, a legitimate application monitoring platform.

The data being exfiltrated includes access tokens, refresh tokens, ID tokens, and account identifiers. The critical detail is the refresh token. Unlike access tokens, which expire, the stolen refresh token does not. An attacker holding it can silently impersonate the victim indefinitely and access whatever capabilities are tied to that Codex account without any further interaction from the user.

The npm account linked to the package belongs to a user identified as "friuns" (Igor Levochkin). WHOIS records show that the anyclaw[.]store domain was registered on 12 April 2026, exactly two days after the first version of the package was uploaded to the npm registry. The X profile linked to the author includes the same domain.

The Attack Extends Beyond npm

The threat actor behind this campaign has built a multi-vector delivery chain. Aikido also identified an Android application named OpenClaw Codex Claude AI Agent, published under the developer name "BrutalStrike" on Google Play, with over 50,000 downloads. The app runs the malicious npm package inside a PRoot sandbox environment derived from Termux. When a user signs into Codex within the app, the package reads the resulting auth.json file from the sandbox and ships the full OAuth token bundle to the same exfiltration endpoint.

A second BrutalStrike Android app, simply named Codex, has been downloaded more than 10,000 times and contains the identical exfiltration chain. Both apps remain available for download. The package version is not pinned, meaning whatever version is currently live on npm is pulled fresh on each device run.

When Aikido contacted the package author via GitHub, the initial response claimed the author had lost access to their npm account. That response was subsequently edited to a statement claiming an internal investigation was underway and that the affected functionality was being removed. The author declined to explain why the code was inserted exclusively into the npm build, or why Codex authentication tokens were being collected at all.

Why This Matters for Enterprise Security Teams

This attack is part of a clear and accelerating pattern of threat actors targeting AI developer tooling as a supply chain entry point. MCW has previously documented the TrapDoor campaign targeting npm, PyPI and Crates.io to steal credentials from AI and cryptocurrency developers, the GlassWorm developer botnet that poisoned over 300 GitHub repositories, and the fake OpenAI model that reached number one on Hugging Face and delivered a Rust-based infostealer to 244,000 developers. The codexui-android campaign follows the same playbook: build trust through legitimate functionality, insert exfiltration after adoption is established, and target the credentials that unlock the most persistent access.

The Mini Shai-Hulud worm that compromised TanStack, Mistral AI and UiPath via npm and PyPI earlier this year demonstrated that supply chain attacks targeting AI developer workflows can reach production infrastructure rapidly. The codexui-android campaign follows the same playbook: build trust through legitimate functionality, insert exfiltration after adoption is established, and target the credentials that unlock the most persistent access.

As covered in our analysis of how agentic AI is rewriting enterprise attack surfaces, the risk profile of AI developer tooling has expanded significantly in 2026. Codex credentials are not simply chat interface credentials; they provide access to whatever organisational capabilities have been connected to that account. For GCC enterprises adopting AI-assisted development workflows, this is a supply chain risk that requires immediate attention at the security operations level.

Immediate Actions for Security Teams

Check for ~/.codex/auth.json on all developer workstations. If the file exists and the developer has used codexui-android or either of the BrutalStrike Android applications, treat those credentials as compromised and rotate immediately via the OpenAI platform dashboard.

Audit npm package inventories for codexui-android across all developer environments. Remove the package and block the domain anyclaw[.]store at the perimeter.

For organisations managing developer device fleets, verify that no employees have installed OpenClaw Codex Claude AI Agent or the Codex application from BrutalStrike via Google Play. Both remain live on the Play Store at the time of publication.

The broader lesson from this campaign is the same one that supply chain attacks have been teaching consistently: a clean GitHub repository does not mean a clean npm build. AI-assisted vulnerability detection tools are increasingly being applied to package-level analysis, but the detection gap between a malicious build and its discovery still represents a multi-week window during which every invocation exfiltrates credentials silently.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.