Cybersecurity researchers have revealed details of a new malicious supply chain campaign targeting developers using OpenAI Codex through a legitimate-looking remote web UI.
The tool, named codexui-android, is promoted on GitHub and npm as a remote web UI for OpenAI Codex and attracts more than 29,000 downloads each week. Packages are still available for download from the repository.
What makes this activity notable is that it is not a traditional attack that uses typosquats or single-use packaging to trick developers. Rather, the malicious code is embedded in a functional npm package that is under active development. The associated GitHub repository remains clean.
“And for the past month, every call has secretly leaked Codex authentication tokens to attacker-controlled servers,” said Aikido security researcher Charlie Eriksen.
This malicious change is said to have been introduced about a month after the package was published to the registry, presumably to build user trust and expand its reach. The npm account associated with the package is “friuns” (aka Igor Levochkin).
Within the package is code that extracts the contents of the Codex “~/.codex/auth.json” file and extracts it to a remote server (“sentry.anyclaw”).[.]Store”) impersonates Sentry, a legitimate application monitoring and error tracking platform. Captured data includes access_token, refresh_token, id_token, and account ID details.
“The refresh_token does not have an expiration date,” Eriksen said. “Once an attacker retains it, they can silently impersonate you indefinitely. A stolen Codex refresh_token becomes permanent, silent access to anything that account can do, beyond access to the chat interface.”
Note here that whenever a user logs in to a Codex app, CLI, or IDE extension using ChatGPT or an API key, the login details are cached locally in a plain text file at ~/.codex/auth.json or in an operating system-specific credential store.
“When using file-based storage, treat ~/.codex/auth.json like a password; it contains an access token,” OpenAI warns in its support documentation. “Do not commit, paste into a ticket, or share in chat.”
Interestingly, npm packages are not the only distribution vector used by threat actors to target Codex developers. Aikido said he observed an Android application named OpenClaw Codex Claude AI Agent (package name: “gptos.intelligence.assistant”) running an npm package within the PRoot sandbox and sending Codex credentials to the same endpoint.
“The APK itself is small (26 MB), so it looks good in Play’s pre-publish scan,” Eriksen explained. “On first run, we extract the Termux-derived Linux userland to the app’s private storage and run Node.js within it via PRoot.”
“The version is not fixed, so the device currently pulls what is published on npm. The extraction has been done since codexui-android@0.1.82. The package runs inside the app’s PRoot sandbox, and the in-app Codex sign-in writes auth.json. When the user signs in, the package reads that file from the sandbox and sends the complete OAuth blob. Sentry.anyclaw.store/startlog.
This Android app, released by an organization named ‘BrutalStrike’, has been downloaded more than 50,000 times. The same breach chain has been reported for a second Android app linked to BrutalStrike, Codex (package name: “codex.app”), which has been downloaded more than 10,000 times. The remaining three apps provided by the developer do not include this feature.
When we reached out to the package author on GitHub, Aikido initially posted a comment stating that his npm account was no longer accessible, but he edited that response and posted a separate comment in which he claimed to be “currently investigating this issue internally” and that he had “begun removing the affected features and associated data.”
Additionally, the author did not answer why this code was only injected into npm package builds or why it needed access to Codex tokens in the first place, and claimed that the credential data was not shared with third parties. The X profile linked to the author contains the domain ‘anyclaw'[.]shop. “
WHOIS records show the domain was registered on April 12, 2026, just two days after the first version of the npm package (version 0.1.72) was uploaded to npmjs.[.]Com.
The development comes as threat actors increasingly target the tools and workflows of real artificial intelligence (AI) developers to steal credentials and penetrate deeper into the software supply chain.
Late last month, the Belgian security firm also discovered that deleted Google API keys can persist for up to 23 minutes. An attacker with access to the compromised key could use this window to access user data and other APIs, including those related to Google Gemini. Median expiration time is approximately 16 minutes.
“An attacker in possession of a deleted key could continue to send requests until they reach a server that can’t keep up,” researcher Joe Leung said. “If Gemini is enabled in your project, you can dump uploaded files and leak cached conversations.”
Google initially chose not to fix the issue, saying it was a “known characteristic of the system and not a security issue,” but the tech giant later decided to treat the issue as a P0 bug, making it a serious issue that “needs immediate attention.”
This finding, similar to a similar four-second exploit time previously observed for deleted Amazon Web Services (AWS) access keys, highlights that while defenders assume the credential has been revoked, delays in credential revocation are exploitable and can be used to gain unauthorized access to cloud environments.
Source link
