"And for the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server," Aikido Security researcher Charlie Eriksen warned.
The malicious codexui-android package and its reach
Researchers disclosed a supply chain campaign that hides malicious code inside an otherwise functional npm package called codexui-android, advertised as a remote web UI for OpenAI Codex. The package attracts over 29,000 weekly downloads and, according to the report, is still available from the repository. Rather than relying on a throwaway or typosquatted project, the threat actor introduced nefarious code into a package that had undergone active development and that had built user trust before the changes appeared.
How the exfiltration worked: auth.json, tokens, and a fake Sentry endpoint
The package contains code that reads the Codex credential file at ~/.codex/auth.json and sends its contents to a remote server, sentry.anyclaw[.]store, which masquerades as the legitimate Sentry monitoring service. The captured values include access_token, refresh_token, id_token, and account ID. Eriksen emphasized the operational severity: "The refresh_token doesn't expire. An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface -- it's persistent, silent access to whatever that account can do."
The report also reiterates OpenAI guidance that when a user logs in to the Codex app, CLI, or IDE Extension via ChatGPT or an API key, the login details are cached locally either in ~/.codex/auth.json or in the OS-specific credential store. OpenAI's support documentation says, "If you use file-based storage, treat ~/.codex/auth.json like a password: it contains access tokens," and warns users not to commit, paste, or share that file.
Android apps as a second delivery vector: OpenClaw, Codex, and PRoot
Aikido observed an Android application named OpenClaw Codex Claude AI Agent (package name gptos.intelligence.assistant) that runs the npm package inside a PRoot sandbox and forwards Codex credentials to the same endpoint. On first run, the APK extracts a Termux-derived Linux userland into the app's private storage and runs Node.js via PRoot; the app then pulls whatever version of the npm package is published because "the version is not pinned." The report states the exfiltration behavior has been in place since codexui-android@0.1.82 and that the package reads the sandboxed auth.json and ships the OAuth blob to sentry.anyclaw.store/startlog.
The OpenClaw app, released by an entity named "BrutalStrike," has more than 50,000 downloads. A second app linked to BrutalStrike, called Codex (package name codex.app), has been downloaded over 10,000 times; the same exfiltration chain was flagged there as well. The developer's remaining three apps do not contain this functionality, according to the findings.
Author account, timeline, and indicators
The npm account tied to the package is "friuns" (aka Igor Levochkin). Aikido reported that the project's associated GitHub repository appears clean; the malicious changes were introduced to the npm package build. After researchers reached out, the author initially posted that they had lost access to their npm account, then edited the comment to say they were "currently investigating this issue internally" and that they "have started removing the affected functionality and related data." The author also claimed no credential data was shared with third parties, while not explaining why the code was inserted only into the npm package build or why access to Codex tokens was needed. The X profile linked to the author includes the domain anyclaw[.]store.
WHOIS records show the anyclaw[.]store domain was registered on April 12, 2026 — two days after the package's very first version (0.1.72) was uploaded to npmjs[.]com.
What this means for Codex developers, Android users, and security teams
- Codex developers and users of the codexui-android package: They should treat ~/.codex/auth.json as sensitive. The package remains available for download, and the report ties exfiltration to versions starting at 0.1.82.
- Android users of OpenClaw and Codex apps: Both apps were observed running the npm package inside a PRoot sandbox; OpenClaw has more than 50,000 downloads and Codex over 10,000, increasing the population of potentially affected mobile users who log into Codex inside those apps.
- Security teams and repository/marketplace operators: The incident illustrates a supply chain pattern where a functional, actively developed package is modified to exfiltrate tokens, and where an external domain (anyclaw[.]store) is used to receive stolen credentials shortly after initial package publication. Detection and response will need to consider malicious code introduced at build or publishing stages, and cross-platform delivery via mobile wrappers that run unpinned npm dependencies.
Broader credential-management context: deleted API keys and revocation windows
The disclosure sits alongside other findings about credential revocation delays. A Belgian security company found that a deleted Google API key can remain live for up to 23 minutes (the median revocation window was around 16 minutes), enabling an attacker with a leaked key to continue accessing data and APIs. Researcher Joe Leon said, "An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up." After initially declining to treat the behavior as a security bug, Google later recast it as a P0 issue. The report also references a similar 4-second exploitation window previously observed with deleted AWS access keys, underscoring how revocation delays can be exploited even when defenders assume credentials have been invalidated.
The immediate facts are stark: a widely downloaded npm package and at least two popular Android apps were used to harvest and forward Codex credentials to a domain registered days after the package first appeared, and the stolen refresh_token can be used indefinitely according to the researchers. The package remains available on the registry as of the report.




