codexui-android npm Package Is Quietly Stealing OpenAI Codex Tokens From 29,000 Weekly Users

AI-developer-tool credentials are now Tier 1 secrets. codexui-android is the demonstration: a polished, useful npm package that built a real user base for one month, then quietly turned thousands of OpenAI Codex sessions into a persistent stolen-token harvest.

SAN FRANCISCO, CALIFORNIA — Aikido Security researcher Charlie Eriksen disclosed on May 27, 2026 that codexui-android — an npm package advertised on GitHub and npm as a remote web UI for OpenAI Codex, drawing roughly 29,000 weekly downloads on npm — has, for the past month, been silently exfiltrating users' Codex authentication tokens to an attacker-controlled server. The Hacker News published a detailed account on June 1, 2026 confirming the package remained available for download from the npm registry at the time of reporting.

The exfiltration code is not in the public GitHub repository. It exists only in the published npm builds, has been present since version 0.1.82, and runs at module load on every invocation. The captured data is the complete contents of ~/.codex/auth.json — the file OpenAI itself warns developers to treat like a password.

What Happened

On May 27, 2026, Aikido Security researcher Charlie Eriksen documented that codexui-android — an npm package billed as a remote web UI for OpenAI Codex with roughly 29,000 weekly downloads — has been silently exfiltrating users' Codex authentication tokens. The Hacker News reported the same findings on June 1, 2026, and confirmed the package remained available on the npm registry at the time of publication.

The exfiltration is not subtle. The first line of dist-cli/index.js imports a chunk that runs at module load with no function call and no user interaction. The chunk reads ~/.codex/auth.json, XOR-encrypts it with the key 'anyclaw2026', and POSTs the result to sentry.anyclaw.store/startlog — an endpoint named to masquerade as the legitimate Sentry error-tracking service. The captured payload is the entire auth.json file: access_token, refresh_token, id_token, and account ID.

The GitHub repository is clean. The malicious chunk was never committed there and appears only in the npm builds, in place since codexui-android@0.1.82 — roughly a month after the first version shipped. WHOIS records show the anyclaw.store C2 domain was registered on April 12, 2026, two days after the first npm version (0.1.72) went live. The npm account is friuns (Igor Levochkin), the same identity that operates on GitHub and Google Play as BrutalStrike.

The Refresh Token Is the Point

Most credential theft trades on time pressure — a stolen API key is useful only until it is rotated. The codexui-android exfiltration is different because of what it captures: the OAuth refresh_token from ~/.codex/auth.json. The refresh_token does not expire. An attacker holding it can mint new access_tokens indefinitely, silently, without ever again touching the victim's machine. A stolen Codex refresh_token is not access to a chat session; it is persistent, silent access to whatever the victim's OpenAI account can do — API calls, billing-account use of premium AI services, and any other resource that authenticates against the same identity. That turns a one-month exfiltration window into a long-tail compromise that survives the package's eventual removal.

The Android Apps Pull the Same Package Automatically

codexui-android is not the only delivery vector. The same author publishes an Android app on Google Play called OpenClaw Codex Claude AI Agent (package name gptos.intelligence.assistant), with more than 50,000 installs. Per Aikido's APK analysis, the app extracts a Termux-derived Linux userland on first run and executes Node.js under PRoot. The bootstrap script installs codexui-android from npm with no pinned version, so every device pulls whatever is currently published. When the user signs in to Codex, auth.json is written into the PRoot sandbox; the package reads it out and ships the OAuth blob to sentry.anyclaw.store/startlog. A second app from the same publisher — Codex (package name codex.app), with more than 10,000 installs — uses the same exfiltration chain.

The AI-Developer-Tool Supply-Chain Frontier

codexui-android does not arrive alone. It is the third major AI-developer-tool npm incident in 72 hours, after Microsoft's research on 33 malicious npm packages that abused dependency confusion against OpenSearch and Elasticsearch builds on May 30, and the Mini Shai-Hulud cluster of typosquatted npm packages targeting cloud and CI/CD secrets on May 31. It sits in the same pattern as Trapdoor, the cross-ecosystem campaign that poisoned npm, PyPI, and Crates with packages aimed at AI coding assistants, and Symjack's fake Claude installers that delivered cryptojackers. These are independent operators converging on one conclusion: AI developer tooling concentrates high-value credentials in a young, sparsely-defended ecosystem, and the npm registry is the most efficient way to reach them.

Scope and Impact

What the malicious build steals is the complete OAuth state for a Codex session: the access_token grants API-level access, the id_token confirms identity, the account ID names the billing account, and the refresh_token — which does not expire — lets the attacker mint fresh access_tokens as long as the credentials remain valid on OpenAI's side. OpenAI's own documentation warns that ~/.codex/auth.json should be treated like a password: not committed, not pasted into tickets, not shared. codexui-android is the exact breach of that guidance, executed at the scale of tens of thousands of weekly installs.

The exposure window is wide and not yet closed. The malicious code has been present since codexui-android@0.1.82 and ran on every invocation for roughly a month before disclosure. Aikido reports that the author, after being contacted on GitHub, first claimed to have lost access to their npm account and then edited the response to say they were 'currently investigating this issue internally' and 'have started removing the affected functionality and related data.' The author did not explain why the exfil code existed only in the npm build, and did not address the Codex token capture directly. At publication, the package was still live on npm and the Android apps remain on Google Play. The pattern is the same one that produced Packagist's malicious package.json payload campaign and the Laravel-Lang credential-stealer wave earlier in May, and the same playbook ESET's October 2025 – March 2026 APT report tracked across multiple state-aligned operations. The defender problem is no longer 'spot the typosquat'; it is 'how do you trust a package that, until last month, did exactly what its README said it did?'

Several specifics are not yet public. The total number of Codex tokens exfiltrated has not been disclosed, and neither has the volume of fraudulent OpenAI API usage charged to victim accounts. OpenAI has not, at the time of reporting, issued guidance specifically referencing codexui-android beyond its standing advice to treat auth.json as a password. Whether npm will remove the package and whether the related Android apps will be pulled from Google Play was unresolved at publication. The structural fix the industry has been debating for weeks, npm's staged publishing and 2FA-gated release approval proposal, is precisely the kind of control that would have raised friction on the malicious release. None of it was in place when codexui-android@0.1.82 shipped.

Response and Attribution

For any organization whose developers use OpenAI Codex, the immediate action list is concrete. Audit npm install logs across the developer fleet for codexui-android and for any AI-tool-adjacent package installed in the past 60 days the developer cannot justify by name. If codexui-android is present anywhere, treat the OpenAI credentials on that machine as compromised: force-rotate the Codex tokens, invalidate cached auth.json, and assume the refresh_token has been exfiltrated and remains usable until OpenAI revokes it. Implement API-key restrictions on the OpenAI side — IP allowlisting, usage caps, scoped permissions. If you run an internal npm proxy, block codexui-android there.

For DevSecOps and platform teams, the 'fake AI-tool helper package' is now a documented attack class. Inventory every AI-tool-adjacent npm and PyPI package your developers actually need, and block-by-default the rest. Add the AI-developer-tool credential set — OpenAI keys, Anthropic keys, Copilot tokens, Codex auth files — to your Tier 1 secrets list explicitly, with 30-to-90-day automatic rotation. For SOC and threat-hunting teams, hunt for outbound traffic from developer endpoints to sentry.anyclaw[.]store following any npm install. Abuse of stolen Codex tokens will show up as billing-account anomaly first.

On attribution, there is none in the formal sense — the actor self-identifies as friuns / Igor Levochkin on npm and as BrutalStrike on GitHub and Google Play, but no government or vendor has confirmed those identifiers. The author's own statements, per Aikido's report, did not address the Codex token capture and contradicted themselves in a single GitHub thread. The pattern matters more than the name: codexui-android is the live token-stealing side of the same npm offensive that Microsoft's 33-package dependency-confusion research documented as recon-staging and that the Megalodon GitHub Actions campaign industrialized as a workflow-poisoning operation. Three operators, three surfaces, one conclusion: the developer trust surface is the front line, and AI-developer-tool credentials are now the prize.

The CyberSignal Analysis

Signal 01 — AI-Developer-Tool Credentials Are Tier 1 Secrets

The lesson of codexui-android is not 'audit your npm packages.' The lesson is that the credentials inside ~/.codex/auth.json have caught up with the credentials inside ~/.aws/credentials, and the rotation and protection rules need to follow. An OpenAI Codex refresh_token is a non-expiring credential that grants persistent, identity-bound access to a billing account and to whatever AI services that account can reach. That is a production-database-password class of secret. AI-developer-tool credentials belong on the Tier 1 secrets list, with MFA-gated access, automated rotation, and the same incident-class response to suspected exposure as any other top-tier credential. Anything less treats the npm registry as the access-control plane — exactly the trust the codexui-android author exploited.

Signal 02 — Legitimacy Is the Attack Vector

codexui-android is not a typosquat. It is a functional tool with a real GitHub repository, active development, and a user base that grew to tens of thousands of weekly downloads before the malicious chunk was inserted. The author invested a month of credible open-source work to build the trust the exfiltration code then traded on. The defender's question is no longer 'is this package known to be malicious?' but 'is the package author someone whose ongoing maintenance I can trust on every developer machine?' Neither npm nor the IDE knows the answer. The practical mitigations are blunt — package allowlists, install-time scanning at the artifact-repo layer, and a default assumption that any new AI-developer-tool dependency is a candidate for the next codexui-android.

Signal 03 — The npm Supply-Chain Cluster Is Operational, Not Episodic

The defining fact of late May and early June 2026 is that the npm supply-chain attack surface is no longer producing incidents in isolation. In 72 hours: Microsoft's 33-package dependency-confusion research, the Mini Shai-Hulud typosquat cluster, and codexui-android. Different operators, different techniques, one cadence — multiple high-impact npm campaigns per week, AI-developer-tool packages the densest target. Episodic response will fail. The defender posture has to be continuous: install monitoring every day, AI-credential rotation on a fixed clock, and executive-level acceptance that the developer toolchain is a primary attack vector for the rest of 2026.

Sources