A functional npm package marketed as a remote web UI for OpenAI Codex has been exfiltrating developer authentication tokens for the past month. The package, codexui-android, accumulated 29,000 weekly downloads before security researchers at Aikido Security disclosed the theft on May 27. The package remains available on npm as of June 1.
How the Attack Works
The exfiltration code runs on every startup, before any application logic. According to Aikido researcher Charlie Eriksen, the package reads the contents of Codex’s local ~/.codex/auth.json file, XOR-encrypts the data, and sends it to a server at sentry.anyclaw[.]store disguised as legitimate Sentry error-reporting traffic.
The stolen payload includes access tokens, refresh tokens, ID tokens, and account IDs. The critical detail: Codex refresh tokens do not expire. “An attacker holding it can silently impersonate you indefinitely,” Eriksen wrote.
The malicious code was introduced roughly a month after the package’s initial publication, likely to build trust first. It was never committed to the GitHub repository. Developers auditing the source code would find nothing. The exfiltration logic only exists in the published npm build, according to The Hacker News.
Beyond NPM: Android Apps Carry the Same Payload
The npm package is not the only delivery vector. Aikido identified two Android applications linked to the same campaign. An app named “OpenClaw Codex Claude AI Agent” (published by “BrutalStrike” on Google Play) runs the npm package inside a PRoot sandbox and sends credentials to the same endpoint. That app has over 50,000 downloads. A second app, simply called “Codex,” adds another 10,000 installs, according to The Hacker News.
The Android attack chain is notable: the APK extracts a Termux-derived Linux userland into private storage, runs Node.js via PRoot, and pulls whatever version of codexui-android is currently published on npm. The version is not pinned, so every device automatically receives the malicious build.
The Author’s Response
The npm account behind the package belongs to “friuns” (Igor Levochkin), according to Aikido. When confronted on GitHub, the author first claimed they had lost access to their npm account, then edited their response to say they were “investigating this issue internally.” The author’s own X profile links to the anyclaw[.]store domain. WHOIS records show that domain was registered on April 12, 2026, two days after the first version of the package was uploaded to npm, The Hacker News reported.
Agent Infrastructure as Attack Surface
Codex is increasingly used as the reasoning and execution layer in agentic coding workflows: spawning agents, automating build systems, running CI/CD pipelines. A stolen refresh token grants persistent access to all of that. OpenAI’s own documentation warns developers to treat ~/.codex/auth.json like a password file: “Don’t commit it, paste it into tickets, or share it in chat.”
The pattern here extends beyond one package. As agentic AI tools proliferate, the credentials that connect them to model providers become high-value targets. Unlike traditional API keys that organizations rotate on schedules, OAuth refresh tokens with no expiration create indefinite access windows. Any team running agents through Codex should audit their installed packages and rotate credentials immediately.