A recently discovered npm package, seemingly legitimate, has been found to clandestinely extract OpenAI Codex authentication tokens from unsuspecting developers. This package, under the guise of codexui-android, appeared to be an authentic remote web UI for OpenAI Codex, attracting a substantial user base with no overt signs of malice.
The Discovery of Malicious Intent
The package achieved a notable 27,000 weekly downloads and maintained an active presence on GitHub, all the while secretly siphoning off credentials. For approximately a month, this threat remained undetected, with each version containing concealed code that executed upon startup, requiring no direct user engagement.
According to a report by Aikido, the package’s extra code, absent from the GitHub repository, evaded typical code audits, making the malicious activity almost invisible to developers reviewing the source.
Mechanics of the Token Theft
The exfiltration process targeted the auth.json file in the user’s Codex directory. The data was XOR-encrypted with the key “anyclaw2026,” base64-encoded, and discreetly sent to a server mimicking legitimate Sentry error-reporting traffic. This approach allowed it to blend into routine network activities, significantly complicating detection efforts.
The package was designed to harvest access, refresh, and ID tokens, along with account IDs, in a single operation. Particularly concerning is the theft of refresh tokens, which do not expire, enabling the attacker to impersonate the victim indefinitely.
Expanding the Attack’s Reach
Beyond npm, the same malicious code appeared in an Android app on Google Play, named “OpenClaw Codex Claude AI Agent“. This app automatically integrated the npm package upon launch, further extending the reach of the attack. A second app titled “Codex” employed the same codebase under a different identifier, amassing over 10,000 installs.
Pre-publish scans did not detect the app’s malicious nature. Upon launch, it set up a Linux environment in private storage, installed Node.js, and fetched the current version of the npm package, perpetuating the attack cycle.
Recommended Actions for Developers
In light of these findings, developers utilizing codexui-android or related Android apps should promptly revoke and rotate their OpenAI Codex credentials. Additionally, monitoring outgoing connections to sentry.anyclaw[.]store is imperative, as this is the confirmed endpoint for data exfiltration.
The investigation by Aikido linked the publisher to the alias “BrutalStrike,” whose popular game has millions of downloads, raising alarms about the potential scale of exposure. As AI tools become more widespread, similar attacks are likely to increase, highlighting the need for heightened vigilance in cybersecurity practices.
