codexui-android — malicious npm package steals OpenAI Codex auth tokens
Real-world incident27 May 2026On 27 May 2026 Aikido Security reported that an npm package named `codexui-android`, marketed as a remote web UI for OpenAI's Codex coding assistant, had been silently exfiltrating users' Codex authentication credentials for roughly a month. According to Aikido (with subsequent reporting by Cybernews, The Hacker News, Hackread, CSO Online and TechRadar), the package had reportedly drawn on the order of 27,000–29,000 weekly downloads, behaving as a genuinely useful tool for its first ~month to build a real user base before the malicious behaviour was introduced — a slow-burn supply-chain compromise rather than typosquatting or account hijacking. Researchers say every published npm build contained hidden code that fired automatically on module load (before any application code, requiring no user interaction), while the project's public GitHub repository stayed clean — so the exfiltration logic was present only in the published npm artifacts, evading source audits. The malware reportedly read the Codex auth file (e.g. `~/.codex/auth.json` / `$CODEX_HOME/auth.json`), which holds the `access_token`, `refresh_token`, `id_token` and account ID, then obfuscated the contents (XOR with a hard-coded key, base64-encoded — values here are illustrative, not operational) and POSTed them to an attacker-controlled endpoint (reportedly `sentry.anyclaw.store/startlog`). Because OpenAI refresh tokens are reported not to expire, an attacker holding one could allegedly impersonate the victim indefinitely — viewing live coding projects, hijacking Codex/OpenAI sessions, and draining API credits — with little visibility to the victim. Reporting also linked the same actor to companion Android apps under an "anyclaw"/"OpenClaw" branding (e.g. "OpenClaw Codex Claude AI Agent"), with tens of thousands of combined installs. The case is a clean example of an AI-developer-tooling supply-chain attack: a poisoned dependency in the coding-assistant tool layer used to harvest AI-agent credentials. (Download counts and install figures vary across reports and are attributed; technical payload details are illustrative.)
Risks it illustrates
Sources
- Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens — Aikido Security (27 May 2026) ↗
- Hackers caught hiding OpenAI token-stealing malware in Codex npm package — Cybernews ↗
- OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack — The Hacker News (Jun 2026) ↗
- OpenAI Codex Tokens Stolen via Malicious npm Package — Aviatrix Threat Research Center ↗
Practise the risk class — related scenarios
Interactive simulations of the risk class this case illustrates (not a re-enactment of this specific event).
A support email hides instructions — and the assistant obeys them
A speed optimisation becomes a cross-tenant listening device
Compromise the pipeline that builds agents, and every new worker is born malicious
Two doors to the same secret: reconstruct the model through its API, or just walk off with the weight file
The forensic record is itself the attack surface — an agent's log is poisoned, then quietly rewritten
A cost-saving open-weights swap quietly ships a model with its safety surgically removed
A screenshot that's harmless at full size becomes an order once the system shrinks it
A capable third-party model that behaves perfectly — until it sees the trigger
An attacker captures the agent's bearer token — and inherits its authority
A trusted MCP email tool quietly BCCs every message to an attacker
A forged peer registers on the agent directory — and the planner enlists it
An inbox summary quietly ships a secret to an attacker's server