A fake remote web interface for OpenAI Codex has been quietly stealing developer credentials for the past month, affecting a package downloaded 29,000 times weekly. The malicious code was embedded into a functional npm package called codexui-android that appeared legitimate, making it harder to detect than typical supply chain attacks. The threat actor behind the scheme also distributed Android applications that ran the compromised package, expanding the attack's reach to mobile users.

How Did This Attack Work Without Being Detected?

The codexui-android package stood out because it wasn't a typical typosquat or throwaway malware delivery vehicle. Instead, the threat actor published a genuinely functional tool, built user trust over time, and then injected malicious code about a month after the initial release. This approach made the attack far less obvious to security researchers scanning for suspicious packages. The GitHub repository associated with the package remained clean, further masking the threat.

Once installed, the package extracted sensitive authentication data from a file called ~/.codex/auth.json, which stores login credentials whenever a developer signs into Codex through the app, command-line interface (CLI), or IDE extension. The stolen data included access tokens, refresh tokens, ID tokens, and account identifiers, all sent to a server masquerading as Sentry, a legitimate application monitoring platform.

"The refresh_token doesn't expire. An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface; it's persistent, silent access to whatever that account can do," said Charlie Eriksen, researcher at Aikido Security.

Charlie Eriksen, Researcher at Aikido Security

What Made This Attack So Dangerous?

The threat was particularly severe because refresh tokens don't expire, giving attackers indefinite access to compromised accounts. Unlike temporary access tokens that expire after a set period, a stolen refresh token allows an attacker to continuously generate new valid credentials without the victim's knowledge. This means an attacker could impersonate a developer and access anything their Codex account could do, potentially including sensitive code repositories, API keys, and project data.

The attack extended beyond the npm package itself. Security researchers discovered that Android applications named OpenClaw Codex Claude AI Agent and Codex, both created by an entity called BrutalStrike, ran the compromised npm package inside a sandboxed Linux environment. The OpenClaw app had more than 50,000 downloads, while the Codex app exceeded 10,000 downloads. Both applications extracted authentication credentials from the sandbox and sent them to the same attacker-controlled server.

Steps to Protect Your OpenAI Codex Credentials

• Check Your Auth File: Review the contents of ~/.codex/auth.json on your computer to see if you've logged into Codex recently. If you have, your credentials may have been exposed if you used the codexui-android package.
• Revoke Your Tokens Immediately: Log into your OpenAI account and revoke all active sessions and API keys associated with Codex. This invalidates any stolen tokens and forces attackers to re-authenticate.
• Audit Your Account Activity: Check your OpenAI account logs for unusual login attempts or API usage from unfamiliar locations or times, which could indicate unauthorized access.
• Avoid Storing Credentials in Plain Text: Use your operating system's credential store instead of file-based storage when possible, as these systems encrypt sensitive data rather than storing it in readable text files.
• Verify Package Legitimacy: Before installing npm packages, check the download statistics, publication history, and GitHub repository for signs of recent suspicious changes or abandoned maintenance.

What Did the Threat Actor Claim?

When Aikido Security researchers contacted the npm package author (username friuns, identified as Igor Levochkin), the response raised additional red flags. The author initially claimed they had lost access to their npm account, then edited the response to say they were "currently investigating this issue internally" and had "started removing the affected functionality and related data." However, they never explained why the malicious code was inserted only into the npm package build or why they needed access to Codex tokens in the first place.

The author's X profile linked to the domain anyclaw.store, the same domain used for the exfiltration server. WHOIS records showed the domain was registered on April 12, 2026, just two days after the first version of the npm package was uploaded to npmjs.com on April 10, 2026. This timeline strongly suggests the attack was planned from the beginning, contradicting claims of account compromise.

Why Is This Part of a Larger Trend?

This attack reflects a growing pattern of threat actors targeting AI developer tools and workflows to steal credentials and gain access to the software supply chain. Developers increasingly rely on AI-powered coding assistants, making these tools attractive targets for attackers seeking to compromise multiple projects at once. A single stolen credential can provide access to repositories, deployment pipelines, and sensitive project data.

The incident also highlights a broader vulnerability in how developers store and protect authentication credentials. OpenAI's own documentation warns that ~/.codex/auth.json should be treated like a password and never committed to version control or shared in chat, yet many developers may not follow these practices. The attack demonstrates why secure credential storage and regular token rotation are essential security practices in modern development workflows.