🔍AI RiskAtlas
← Real-world cases

codexui-android — malicious npm package steals OpenAI Codex auth tokens

Real-world incident27 May 2026

On 27 May 2026 Aikido Security reported that an npm package named `codexui-android`, marketed as a remote web UI for OpenAI's Codex coding assistant, had been silently exfiltrating users' Codex authentication credentials for roughly a month. According to Aikido (with subsequent reporting by Cybernews, The Hacker News, Hackread, CSO Online and TechRadar), the package had reportedly drawn on the order of 27,000–29,000 weekly downloads, behaving as a genuinely useful tool for its first ~month to build a real user base before the malicious behaviour was introduced — a slow-burn supply-chain compromise rather than typosquatting or account hijacking. Researchers say every published npm build contained hidden code that fired automatically on module load (before any application code, requiring no user interaction), while the project's public GitHub repository stayed clean — so the exfiltration logic was present only in the published npm artifacts, evading source audits. The malware reportedly read the Codex auth file (e.g. `~/.codex/auth.json` / `$CODEX_HOME/auth.json`), which holds the `access_token`, `refresh_token`, `id_token` and account ID, then obfuscated the contents (XOR with a hard-coded key, base64-encoded — values here are illustrative, not operational) and POSTed them to an attacker-controlled endpoint (reportedly `sentry.anyclaw.store/startlog`). Because OpenAI refresh tokens are reported not to expire, an attacker holding one could allegedly impersonate the victim indefinitely — viewing live coding projects, hijacking Codex/OpenAI sessions, and draining API credits — with little visibility to the victim. Reporting also linked the same actor to companion Android apps under an "anyclaw"/"OpenClaw" branding (e.g. "OpenClaw Codex Claude AI Agent"), with tens of thousands of combined installs. The case is a clean example of an AI-developer-tooling supply-chain attack: a poisoned dependency in the coding-assistant tool layer used to harvest AI-agent credentials. (Download counts and install figures vary across reports and are attributed; technical payload details are illustrative.)

More cases on Supply-Chain Compromise

PoisonGPT (Mithril Security)postmark-mcp backdoorMalicious models on Hugging Face (pickle deserialization RCE)A small number of samples can poison LLMs of any size (~250-document backdoor)Model Namespace Reuse (Hugging Face name-trust hijack)Slopsquatting — package hallucinations by code-generating LLMsMCP registry / marketplace poisoning (OX Security)ClawHavoc — mass poisoning of OpenClaw's ClawHub agent-skill marketplaceMalice in Agentland — backdooring agents through the supply chain (Boisvert et al.)Heretic — automated LLM abliteration toolSalesloft Drift OAuth supply-chain breach (UNC6395) — mass Salesforce data theft via an AI chat integrationAmazon Q Developer 'wiper' prompt shipped via poisoned pull request (CVE-2025-8217)NVIDIA Triton Inference Server unauthenticated RCE chain (CVE-2025-23319 / -23320 / -23334)SesameOp: backdoor abuses the OpenAI Assistants API as covert command-and-controlGoogle Big Sleep AI agent surfaces an imminently-exploited SQLite flaw (CVE-2025-6965)MCPTox: tool-poisoning benchmark over real-world MCP serversOperation Bizarre Bazaar (first attributed LLMjacking campaign with a resale marketplace)TeamPCP poisons the LiteLLM AI gateway on PyPI to harvest LLM API keysCVE-2026-21445 — Langflow missing authentication on critical API endpoints, exploited in the wildMalicious JetBrains Marketplace plugins steal AI API keysLeRobot async-inference gRPC pickle RCE (CVE-2026-25874)Flowise AI agent builder CustomMCP RCE (CVE-2025-59528)PyTorch Lightning PyPI compromise (Mini Shai-Hulud / TeamPCP)Project Glasswing — Claude 'Mythos' autonomously finds 10,000+ software vulnerabilities

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning — not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading →·Built by Shi Yuan ↗