OpenAI Codex Users Hit by Token-Stealing npm Package

A supply chain attack targeting OpenAI Codex developers has compromised authentication tokens from approximately 29,000 weekly npm downloads plus an additional 60,000 mobile app installations. Aikido Security researchers discovered the malicious codexui-android package was silently exfiltrating Codex credentials to attacker-controlled infrastructure for roughly a month before detection.

The attack demonstrates a patience rarely seen in supply chain compromises—the package functioned legitimately for its first month, building user trust before introducing credential theft in a subsequent update.

The Trust-Building Phase

The codexui-android package first appeared on npm on April 10, 2026, marketed as a remote web UI for OpenAI Codex. For its first four weeks, the package worked exactly as advertised. The source code on GitHub remained clean throughout, with malicious functionality only appearing in npm registry releases.

Two days after the initial npm upload, attackers registered the domain anyclaw[.]store—infrastructure that would later receive stolen credentials. This timeline suggests the campaign was planned from the start, with the legitimate functionality serving purely as cover.

How the Attack Worked

Once the package accumulated a user base, an npm update introduced credential-stealing code targeting the Codex authentication file at ~/.codex/auth.json. Every invocation of the tool quietly extracted:

• Access tokens
• Refresh tokens
• ID tokens
• Account identifiers

The data was transmitted to sentry.anyclaw[.]store, a server masquerading as the legitimate Sentry monitoring platform. The impersonation helped the traffic blend with expected application behavior.

The Persistence Problem

OpenAI refresh tokens present a particular danger: they don't expire. As researcher Charlie Eriksen explained, "An attacker holding [a refresh token] can silently impersonate you indefinitely."

Unlike session tokens that expire after hours or days, a compromised refresh token grants persistent access until the user explicitly revokes it. Many developers may not realize their credentials were stolen until attackers drain API credits or access sensitive project data.

Mobile Attack Vector

The campaign extended beyond npm to Android applications. Two apps published by a developer called "BrutalStrike" contained the same credential theft mechanism:

• OpenClaw Codex Claude AI Agent (50,000+ downloads)
• Codex (10,000+ downloads)

Both apps ran the malicious npm package inside a PRoot Linux sandbox, extracting credentials when users signed into Codex through the app interface. The apps automatically pulled the latest npm package versions, meaning devices continuously received updated malicious code.

This multi-platform approach—combining npm supply chain compromise with mobile app distribution—significantly expanded the attack surface beyond traditional developer workstations.

Detection and Response

Immediate Actions:

1. Revoke all Codex authentication tokens via OpenAI's security settings
2. Check ~/.codex/auth.json for unexpected access patterns
3. Monitor OpenAI account activity for unauthorized API calls
4. Uninstall any BrutalStrike Android applications
5. Audit npm dependencies for codexui-android references

Preventive Measures:

• Treat authentication files like passwords—never commit them to repositories
• Use OS-specific credential stores instead of plaintext files where available
• Pin npm dependencies to specific versions after auditing
• Enable multi-factor authentication on AI platform accounts

A Growing Pattern

This attack continues a troubling trend of supply chain compromises targeting AI developers. Last week we covered the Red Hat npm Miasma attack that compromised 32+ packages under an official namespace. Both campaigns exploited the trust developers place in package registries and the valuable credentials modern AI tools require.

The Hugging Face infostealer we reported on similarly targeted AI developers through fake model uploads. Attackers recognize that AI development environments contain high-value credentials—API keys with billing access, OAuth tokens for cloud services, and deployment credentials.

Why This Matters

AI tools increasingly require persistent authentication to function. OpenAI Codex, Claude, and similar platforms store credentials locally for seamless operation, but this convenience creates attractive targets. A single compromised developer workstation can expose API access worth thousands of dollars in compute costs.

The month-long trust-building phase makes this attack particularly concerning. Security scanning tools that only check new packages may miss malicious updates to established dependencies. Organizations need continuous monitoring of package behavior, not just point-in-time audits at installation.

For guidance on securing development environments, see our online safety tips and consider implementing supply chain security tools that monitor runtime behavior of dependencies.