A popular npm package called codexui-android, which provided a remote web UI for OpenAI Codex, was silently exfiltrating developer authentication tokens to an attacker-controlled server for approximately one month before being discovered. The package had 27,000 weekly downloads, active development, and a polished GitHub repository, according to Aikido Security researcher Charlie Eriksen, who published the disclosure on May 27.
The stolen credentials included access tokens, refresh tokens, ID tokens, and account IDs. The refresh tokens do not expire, meaning an attacker holding them can impersonate the victim indefinitely.
How the Exfiltration Worked
The malicious code was never committed to the package’s public GitHub repository. It existed only in the published npm build, according to Aikido’s analysis. A developer auditing the source code would find nothing suspicious.
On every startup, the package’s entry point loaded a chunk that executed before any application code. That chunk read the contents of ~/.codex/auth.json, XOR-encrypted the payload with a hardcoded key, and sent it via HTTPS POST to sentry.anyclaw.store/startlog. The endpoint was named to mimic legitimate Sentry error-reporting traffic. A developer monitoring network connections would see sentry.* requests and assume telemetry.
The author’s own source map comment was explicit: “Send tokens to our startlog endpoint (always, independent of Sentry).”
The Android Vector
The same author published an Android app on Google Play called “OpenClaw Codex Claude AI Agent” that pulled the malicious npm package on first launch, according to Aikido. The app ran a Termux-derived Linux userland inside PRoot, installed codexui-android@latest from npm without version pinning, and executed the same exfiltration chain. A second Play Store app, “Codex” (10,000+ installs), used an identical codebase with the same Kotlin namespace and authentication callback scheme.
Three other apps from the same developer, including a game with 5 million+ downloads, contained none of the malicious infrastructure.
When confronted, the author initially posted a comment claiming they had lost access to their npm account. That comment was deleted and replaced with a statement denying the allegations, as Cybernews reported.
A Pattern, Not an Anomaly
This is the third npm supply chain attack targeting AI developer tools disclosed in May 2026 alone. On May 26, OX Security discovered a separate malicious package called mouse5212-super-formatter that targeted Anthropic’s Claude AI user directory, uploading files from /mnt/user-data to an attacker-controlled GitHub account, according to The Hacker News. That package had been downloaded 676 times before discovery. The TanStack npm compromise on May 11 affected 42 packages in a six-minute window.
“Now that the bar to create malicious code was reduced significantly, we’re going to see more threat actors getting into the game,” OX Security said in its analysis of the Claude-targeting package.
What Agent Developers Should Check
The codexui-android attack is distinct from typical supply chain incidents because the package was genuinely useful. It had real functionality, active maintenance, and a growing user base. The legitimacy was the attack vector. Any developer who installed the package since version 0.1.82 should rotate their OpenAI credentials immediately and audit any API activity against their accounts.
For teams building agent infrastructure, the lesson is architectural: authentication tokens for AI services are high-value targets with long lifespans. Treating them with the same security posture as database credentials or cloud provider keys is no longer optional.