Full Report
Cybersecurity researchers have disclosed details of a new malicious supply chain campaign that's targeting developers using OpenAI Codex through a legitimate-looking remote web UI. The tool, named codexui-android, is advertised on GitHub and npm as a remote web UI for OpenAI Codex, attracting over 29,000 weekly downloads. The package is still available for download from the repository. What
Analysis Summary
# Incident Report: OpenAI Codex Token Theft via codexui-android Supply Chain Attack
## Executive Summary
Cybersecurity researchers discovered a malicious supply chain campaign targeting developers using a functional npm package titled `codexui-android`. The package, which serves as a remote web UI for OpenAI Codex, was found to be exfiltrating persistent authentication tokens to an attacker-controlled server. With nearly 30,000 weekly downloads on npm and over 60,000 downloads via linked Android applications, the campaign represents a significant compromise of AI developer environments.
## Incident Details
- **Discovery Date:** Approximately May/June 2026
- **Incident Date:** Malicious activity began ~May 2026 (persisted for one month prior to disclosure)
- **Affected Organization:** Users of the `codexui-android` npm package and associated Android apps
- **Sector:** Technology / Software Development / AI Research
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 2026
- **Vector:** Software Supply Chain Attack (npm registry)
- **Details:** The attacker published a functional tool, `codexui-android`. After building a user base and trust over one month, malicious code was introduced in version 0.1.82.
### Lateral Movement
- **Details:** While traditional lateral movement is not the primary focus, the attack moves from the user’s development environment/mobile device to OpenAI’s infrastructure by using stolen OAuth tokens to impersonate the user.
### Data Exfiltration/Impact
- **Details:** The package targeted the `~/.codex/auth.json` file. It successfully exfiltrated `access_token`, `refresh_token`, `id_token`, and `account ID` to the attacker’s domain. Because the `refresh_token` does not expire, the attacker gained indefinite access to the victims' OpenAI accounts.
### Detection & Response
- **Detection:** Discovered by researcher Charlie Eriksen of Aikido Security during analysis of npm package behaviors.
- **Response:** Researchers contacted the developer ("friuns") on GitHub. The developer initially claimed a compromised account, then pivoted to claiming an "internal investigation" and began removing the malicious functionality.
## Attack Methodology
- **Initial Access:** Supply chain compromise via a legitimate-looking, functional npm package and Google Play Store apps.
- **Persistence:** Use of stolen `refresh_tokens`, which allow for indefinite account impersonation without needing the user's password.
- **Privilege Escalation:** Not applicable; however, the tokens provide the attacker with the same permissions as the developer's account.
- **Defense Evasion:**
- The malicious code was not present in the GitHub source, only the npm build.
- The Android APK used a PRoot sandbox and Termux-derived Linux userland to bypass Play Store pre-publish scans.
- Exfiltration traffic masqueraded as legitimate "Sentry" error-tracking logs.
- **Credential Access:** Direct file access to plaintext authentication blobs (`~/.codex/auth.json`).
- **Exfiltration:** Data sent via HTTPS to `sentry.anyclaw[.]store/startlog`.
## Impact Assessment
- **Financial:** Potential for significant unauthorized API billing charges on victims' OpenAI accounts.
- **Data Breach:** High. Theft of persistent OAuth tokens allowing full access to Codex/OpenAI account data, prompts, and proprietary code.
- **Operational:** Potential suspension of OpenAI accounts due to malicious activity performed by the attacker.
- **Reputational:** High for the developers/firms whose code or AI agents were compromised.
## Indicators of Compromise
- **Network Indicators:**
- `sentry.anyclaw[.]store`
- `anyclaw[.]store`
- **File Indicators:**
- npm package: `codexui-android` (v0.1.82 and later)
- Android Package Name: `gptos.intelligence.assistant` (OpenClaw Codex Claude AI Agent)
- Android Package Name: `codex.app`
- **Behavioral Indicators:**
- Unauthorized API calls originating from unknown IP addresses.
- File read access to `~/.codex/auth.json` by unauthorized node processes.
## Response Actions
- **Containment:** Aikido Security notified the community and the package author.
- **Eradication:** The author claimed to be removing the malicious functionality and deleting collected data (though this remains unverified).
- **Recovery:** Affected users must revoke all active OpenAI tokens and CLI sessions immediately.
## Lessons Learned
- **Build vs. Source Discrepancies:** Malicious code was hidden in the npm build but absent from GitHub, highlighting that reviewing source code on GitHub is insufficient for verifying npm packages.
- **Dangers of Local Caching:** Storing persistent refresh tokens in plaintext (`~/.codex/auth.json`) creates a single point of failure for developer security.
- **Mobile Sandbox Evasion:** Attackers are successfully using PRoot and Linux userlands within Android apps to hide malicious Node.js activity from standard mobile security scans.
## Recommendations
1. **Token Rotation:** Immediately rotate OpenAI API keys and revoke any active OAuth sessions if `codexui-android` was ever installed.
2. **Environment Security:** Use OS-specific secret stores (like Keychain or Credential Manager) instead of file-based plaintext storage for AI tokens.
3. **Package Verification:** Use tools like `npm diff` or security scanners (e.g., Aikido, Socket, Snyk) that inspect the actual downloaded artifacts rather than just the GitHub repository.
4. **Principle of Least Privilege:** Use restricted API keys with limited scopes and usage caps rather than full-access account tokens.