Codex tokens stolen via codexui-android npm package

A malicious change to the codexui-android npm package and several Android apps exfiltrated OpenAI Codex authentication tokens from users’ local auth files to an attacker-controlled server. The files targeted were the ~/.codex/auth.json files, and captured values included access_token, refresh_token, id_token and account ID.

Aikido Security researcher Charlie Eriksen disclosed the campaign after examining the npm package, which is promoted as a remote web UI for OpenAI Codex and attracts over 29,000 weekly downloads. The GitHub repository linked to the project appears to contain no malicious code; the injected code was present in the npm package distributed through the registry.

The added code reads the Codex authentication file at ~/.codex/auth.json and sends its contents to sentry.anyclaw.store, using a path observed as /startlog. The change was present in codexui-android starting at version 0.1.82. Eriksen wrote that the modification was quietly present in every package invocation for about a month.

The stolen refresh_token is long-lived and can be used to access an account until the token is revoked. OpenAI’s support documentation instructs developers to treat ~/.codex/auth.json like a password and not to share or commit it.

Aikido found multiple delivery methods. An Android app named OpenClaw Codex Claude AI Agent (package name gptos.intelligence.assistant) embeds a Termux-derived Linux userland, runs Node.js via PRoot, and executes the npm package inside the app’s private storage. The app reads the in-app Codex sign-in data from the sandboxed userland and sends the full OAuth blob to the attacker endpoint. The OpenClaw app has been downloaded more than 50,000 times.

A second app linked to the same developer, listed as Codex (package name codex.app), used the same chain and has over 10,000 downloads. Neither app pins the npm dependency, so devices fetch whatever version is published to npm at runtime.

The npm account associated with the package is registered as “friuns,” linked to the name Igor Levochkin. When contacted, the account holder first posted that they had lost access to the npm account and later edited the message to say they were investigating and removing the affected functionality. The account holder denied sharing credentials with third parties but did not explain why the code appeared only in the npm package build or why Codex tokens were needed.

The X profile associated with the author lists the domain anyclaw.store. WHOIS records show anyclaw.store was registered on April 12, 2026, two days after the first npm upload of codexui-android version 0.1.72.

Security researchers have noted similar incidents where developer tooling and supply chains are abused to capture credentials. Short windows where deleted API keys remain valid have been shown to allow access to cloud services, and researchers continue to report cases where credential handling and package distribution expose long-lived tokens.