A sophisticated software supply chain attack has been uncovered targeting developers who use OpenAI Codex, with researchers identifying a popular npm package that secretly steals authentication tokens while appearing to function as a legitimate tool.
Security researchers at Aikido Security revealed that a package named codexui-android, promoted as a remote web interface for OpenAI Codex, contains hidden code designed to exfiltrate sensitive authentication credentials. Despite the malicious behavior, the package remains available on npm and has accumulated more than 29,000 weekly downloads.
A Different Kind of Supply Chain Attack
Unlike traditional software supply chain attacks that rely on typosquatting or fake packages, this campaign is particularly concerning because the malicious code was introduced into a legitimate, actively maintained project.
The package initially appeared clean and functional, helping it gain credibility among developers. According to researchers, the malicious functionality was added approximately one month after the package’s release, likely after it had already built trust within the developer community.
Even more deceptive, the associated GitHub repository appears clean, while the malicious code exists only in the npm-distributed version.
How the Credential Theft Works
The malicious package targets a critical OpenAI Codex authentication file stored locally on developer systems:
~/.codex/auth.json
This file contains sensitive authentication information, including:
- Access tokens
- Refresh tokens
- ID tokens
- Account identifiers
Researchers discovered that the package silently reads the contents of this file and transmits the data to a remote server named:
sentry.anyclaw.store
The domain is intentionally designed to resemble Sentry, the widely used application monitoring and error-tracking platform, potentially helping the activity blend into normal network traffic.
Why Stolen Refresh Tokens Are Dangerous
The most concerning aspect of the attack involves the theft of refresh tokens.
Unlike temporary access tokens, refresh tokens can be used to continuously generate new access credentials without requiring the user to log in again.
Researchers warn that possession of a valid Codex refresh token may allow attackers to:
- Maintain long-term access to compromised accounts
- Impersonate legitimate users
- Access AI development environments
- Interact with services linked to the affected account
- Operate without raising immediate suspicion
Because refresh tokens often remain valid for extended periods, attackers may retain access long after the initial compromise.
OpenAI’s Existing Warning
OpenAI already advises users to protect the authentication file used by Codex.
The company notes that authentication credentials are stored either within the local file system or in operating system-specific credential stores and should be treated with the same level of sensitivity as passwords.
Developers are advised never to:
- Commit the file to source control repositories
- Share it through support tickets
- Upload it to public forums
- Send it through messaging platforms
Android Apps Also Used for Credential Theft
Researchers discovered that the npm package was not the only delivery mechanism used by the threat actor.
An Android application named OpenClaw Codex Claude AI Agent was found to incorporate the same package and credential-stealing functionality.
The app reportedly has more than 50,000 downloads and operates by:
- Installing a Linux-like environment inside the application.
- Running Node.js through a sandboxed environment.
- Downloading and executing the codexui-android package directly from npm.
- Capturing authentication credentials after users log in to Codex.
- Sending the collected tokens to the same attacker-controlled infrastructure.
Because the application retrieves the package dynamically from npm, users automatically receive whatever version is currently published, including malicious updates.
Second Android App Identified
Aikido Security also identified another Android application linked to the same developer:
- Codex (package name:
codex.app)
This app has reportedly exceeded 10,000 downloads and contains the same credential exfiltration mechanism.
Interestingly, researchers noted that three other applications published by the same developer did not contain the malicious functionality.
Questions Surround the Package Author
The npm package is associated with an account named friuns, reportedly belonging to developer Igor Levochkin.
When contacted by researchers, the maintainer initially claimed to have lost access to the npm account. Shortly afterward, that response was edited and replaced with a statement indicating an internal investigation was underway.
The author also stated that no credential information had been shared with third parties and that efforts had begun to remove the problematic functionality.
However, several important questions remain unanswered:
- Why was the code present only in the npm build and not in the GitHub repository?
- Why was access to user authentication tokens required?
- What purpose did the collected credentials serve?
Researchers also discovered links between the package author and the domain used for data exfiltration.
WHOIS records show that the domain anyclaw.store was registered just two days after the first version of the npm package was uploaded, raising further concerns about the relationship between the infrastructure and the software project.
Growing Threats to AI Development Ecosystems
The incident highlights an emerging trend in cybersecurity: attackers increasingly targeting AI development tools and developer workflows.
As artificial intelligence platforms become more deeply integrated into software development environments, authentication credentials tied to these systems become attractive targets for threat actors seeking:
- Source code access
- Cloud environment access
- Development pipeline compromise
- Supply chain infiltration
- Long-term persistence within organizations
Google API Key Revocation Delays Raise Additional Concerns
In a separate finding, Aikido Security recently uncovered another issue affecting cloud security.
Researchers discovered that deleted Google API keys can remain active for up to 23 minutes after revocation, with an average delay of approximately 16 minutes.
During this window, attackers possessing leaked credentials may continue making requests and accessing services.
Potential risks include:
- Access to user data
- Continued API usage
- Retrieval of files uploaded to Google Gemini
- Exposure of cached AI conversations
Initially classified by Google as a known system characteristic rather than a security issue, the company has since upgraded the matter to a Priority Zero (P0) vulnerability, indicating urgent remediation is required.
Credential Revocation Delays Remain a Security Risk
The Google discovery follows earlier observations involving Amazon Web Services (AWS), where deleted access keys reportedly remained usable for several seconds after revocation.
While these delays may appear minor, they create opportunities for attackers to maintain unauthorized access after defenders believe credentials have already been disabled.
As organizations increasingly rely on cloud platforms and AI-powered development tools, security teams must account for credential theft, supply chain risks, and revocation delays as part of their broader defense strategy.
Final Thoughts
The codexui-android incident demonstrates how attackers are evolving beyond traditional malware campaigns and increasingly targeting trusted developer tools. By embedding malicious functionality into a legitimate and widely used package, threat actors can harvest valuable authentication credentials while remaining largely undetected.
Developers using OpenAI Codex should immediately review their environments, rotate potentially exposed credentials, and verify the integrity of any third-party tools integrated into their workflows. As AI ecosystems continue to grow, securing developer tooling will become just as important as protecting production systems themselves.
