Researchers have disclosed a new malicious supply chain campaign targeting developers using OpenAI Codex through a legitimate-looking remote web UI tool known as codexui-android. The package, which is advertised on GitHub and npm, has garnered over 29,000 weekly downloads and remains publicly available for download.
This campaign is notable as it embeds malicious code within a fully functional npm package that has been actively developed, with the associated GitHub repository appearing clean. “For the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server,” said Charlie Eriksen, a researcher at Aikido Security.
The malicious code seems to have been introduced about a month after the package was initially published, possibly to build user trust and broaden its reach. The npm account tied to the package is “friuns,” which is linked to Igor Levochkin.
The embedded code extracts the “~/.codex/auth.json” file from Codex, sending it to a remote server masquerading as Sentry at “sentry.anyclaw[.]store.” Captured data includes access token, refresh token, id token, and account ID. “The refresh_token doesn’t expire,” Eriksen noted, indicating ongoing unauthorized access capabilities. “An attacker holding it can silently impersonate you indefinitely.”
OpenAI warns users to treat the auth.json file like a password. Login details are cached locally in plaintext or through an operating system-specific credential store, raising further security concerns.
Besides the npm package, Aikido researchers also identified an Android application named OpenClaw Codex Claude AI Agent that utilizes the malicious npm package to exfiltrate credentials. The OpenClaw app, with a small APK size of 26 MB, appears clean in pre-publish scans and runs the npm package in a PRoot sandbox.
The exfiltration chain has been active since version [email protected], which automatically pulls updates from npm. “The version is not pinned, so the device pulls whatever is currently published on npm,” Eriksen explained. The same exfiltration method was also observed in another Android app tied to the developer BrutalStrike, named Codex, which has over 10,000 downloads. The remaining three apps from the developer do not contain this malicious functionality.
Aikido reached out to the author of the npm package on GitHub. Initially, they claimed to have lost access to their npm account but later stated they are investigating the issue and have begun removing the affected functionality. They claimed no credential data was shared with third parties but did not explain why the malicious code was included or the necessity for Codex tokens.
Investigations into domain registrations revealed that “anyclaw[.]store,” linked to the author, was registered shortly after the first version of the npm package was uploaded, specifically on April 12, 2026. This development highlights a broader trend of adversaries exploiting AI development tools to steal credentials and infiltrate the software supply chain.
Additionally, Belgian security researchers found that deleted Google API keys can remain active for up to 23 minutes, presenting a security vulnerability. Google initially dismissed the issue as a non-security concern but later classified it as critical. Similar delays in credential revocation have been noted with AWS access keys, underscoring exploitable vulnerabilities within cloud environments.
