Researchers from Aikido Security discovered a malicious campaign targeting developers using OpenAI Codex. The npm package codexui-android, promoted as a remote web interface for OpenAI Codex and reaching over 29,000 downloads per week, had been covertly extracting authentication tokens for roughly a month and sending them to a server controlled by the attackers. In addition to the npm package, the same exfiltration scheme was identified in Android applications on Google Play with a combined audience of more than 60,000 installations. Anyone who has used this package or related applications must immediately revoke their OpenAI tokens.
Attack mechanism: trust as a weapon
The key feature of this campaign is that it does not rely on typosquatting or throwaway trap packages. According to the researchers, codexui-android was a functional package under active development, with a clean GitHub repository. The malicious code was injected roughly a month after the package was first published in the npm registry — presumably to first build user trust and expand its reach.
Starting with version 0.1.82, the package contained code that read the contents of the file ~/.codex/auth.json and sent it to the remote server sentry.anyclaw[.]store/startlog, disguised as the legitimate Sentry monitoring platform. The data being stolen included:
- access_token
- refresh_token
- id_token
- account ID
As OpenAI warns in its documentation, when using file-based storage the ~/.codex/auth.json file contains access tokens in plain text and must be treated like a password. Each time a user signs into the Codex application, CLI, or IDE extension via ChatGPT or an API key, the credentials are cached locally in this file.
Aikido researcher Charlie Eriksen emphasized that, in his assessment, the stolen refresh_token does not expire, potentially giving an attacker indefinite access to all capabilities of the compromised account. It should be noted that this claim is not confirmed by official OpenAI documentation.
Vector via Android applications
The npm package turned out not to be the only delivery channel. According to Aikido, the Android application OpenClaw Codex Claude AI Agent (package name: gptos.intelligence.assistant), published by a developer under the name BrutalStrike, ran the npm package inside a PRoot sandbox and sent Codex credentials to the same endpoint.
Technically, the approximately 26 MB application, on first launch, unpacked a Linux userland based on Termux into its private storage and started Node.js via PRoot. The version of the npm package was not pinned — the application downloaded the currently published version, which automatically pulled in the malicious code after it was injected into version 0.1.82.
According to the researchers, this application amassed more than 50,000 installations. A similar exfiltration chain was found in a second application by the same developer — Codex (package name: codex.app) — with more than 10,000 downloads. The other three BrutalStrike applications reportedly did not contain malicious functionality.
Author response and digital footprint
When the package author was contacted via GitHub, their behavior raised additional questions. Initially, they claimed to have lost access to the npm account, then edited the response to say they were “conducting an internal investigation” and had “started removing the affected functionality and related data.” The author asserted that the credentials were not shared with third parties, but did not explain why the code to access Codex tokens was added exclusively to the npm build of the package.
Notably, the author’s profile on social network X lists the domain anyclaw[.]store — the same domain to which the stolen data was sent. According to WHOIS records, the domain was registered just two days after the first version of the npm package (0.1.72) was published, indicating that the infrastructure was planned in advance.
Indicators of compromise
- Exfiltration domain:
sentry.anyclaw[.]store - Endpoint:
sentry.anyclaw[.]store/startlog - Infrastructure domain:
anyclaw[.]store - Affected npm package: codexui-android (starting from version 0.1.82)
- Affected Android applications:
gptos.intelligence.assistant,codex.app
Recommendations
- Immediately remove the codexui-android package from all projects and check dependencies for its presence.
- Revoke and reissue all OpenAI tokens. Delete the
~/.codex/auth.jsonfile and re-authenticate after cleanup. - Check network logs for connections to the
anyclaw.storeandsentry.anyclaw.storedomains. - Uninstall the Android applications OpenClaw Codex Claude AI Agent and Codex by developer BrutalStrike if they were installed.
- Audit OpenAI account activity for unauthorized actions over the past month.
- Consider switching Codex credential storage to the OS keychain instead of storing them in plain-text files.
This incident demonstrates a mature supply-chain attack tactic: a functional package, a trust-building period, malicious injection only into the npm build while keeping the GitHub repository clean, and parallel distribution via mobile applications. Developers using AI-based tools should apply the same least-trust principles to them as to any third-party code: pin dependency versions, check for differences between the source code in the repository and the published package, and store authentication tokens exclusively in protected operating-system key stores.
