top of page

Malicious Codex UI Tool with 27,000 Downloads Caught Stealing OpenAI Refresh Tokens

  • May 31
  • 3 min read

Key Findings


  • Popular codexui-android npm package with 27,000 weekly downloads contained malicious code stealing OpenAI authentication credentials

  • Malicious code hidden in published package only, not in public GitHub repository, evading standard audits

  • Attackers stole access tokens, ID tokens, account IDs, and refresh tokens from local auth.json files

  • Refresh tokens do not expire, allowing attackers indefinite account impersonation

  • Same threat actor deployed malicious Android apps on Google Play Store under developer identity BrutalStrike

  • Stolen data exfiltrated to server disguised as legitimate Sentry error-reporting telemetry

  • As of discovery date, malicious package and apps remained live on distribution platforms


Background


On May 27, 2026, Aikido Security researcher Charlie Eriksen discovered a supply chain attack targeting developers using OpenAI's Codex AI coding assistant. The codexui-android package served as a legitimate remote web interface for Codex and had accumulated roughly 27,000 weekly downloads across the developer community. The attack represented a sophisticated effort to compromise high-value targets within the AI developer tooling ecosystem.


The Hidden Attack Vector


What made this attack particularly effective was the attackers' decision to build a genuinely useful tool rather than rely on traditional compromise methods like typosquatting or account hijacking. This approach allowed them to establish a real user base before weaponizing the package. The malicious payload only appeared in the published npm package version, remaining completely absent from the public GitHub repository. This meant developers performing standard code audits would find nothing suspicious.


The attack triggered immediately upon module load when dist-cli/index.js imported a hidden script called chunk-PUR7OUAG.js. The script searched for local credentials and, if found, launched data exfiltration routines targeting sensitive authentication material from the auth.json file. The attackers focused especially on refresh tokens since these credentials never expire, granting them indefinite access to victim accounts.


Masking the Crime


To hide network activity, the attackers routed stolen data to a server endpoint named sentry.anyclawstore. The domain choice was deliberate, designed to blend seamlessly with normal Sentry error-reporting telemetry that developers would expect. Inside the hidden source map, the code author left little to doubt, including a comment stating "Send tokens to our startlog endpoint (always)".


Mobile Device Campaign


The threat actor behind codexui-android also targeted Android mobile devices through the Google Play Store. Operating under the developer identity BrutalStrike, the attacker maintained a legitimate mobile game with over 5 million downloads, establishing credibility. Two malicious apps, codex.app and "OpenClaw Codex Claude AI Agent", contained identical malicious infrastructure.


The Android apps bypassed Google's pre-publish security scans because the initial 26 MB APK file appeared completely benign. Once installed, the app extracted a Termux-derived Linux userland into private storage and launched Node.js using PRoot virtualization. It then executed a command to install the latest compromised npm package: pnpm add codexui-android@latest. The exfiltration campaign had been active since version 2.3.1.


Aftermath and Ongoing Risk


When confronted by Eriksen, the package author briefly claimed they lost access to their npm account. They deleted that comment and replaced it with a corporate statement denying any credential theft. Despite the discovery and public disclosure, both the malicious npm package and the Google Play Store apps remained live and available for download.


Researchers concluded that AI developer tooling represents an increasingly high-value target precisely because the authentication tokens are powerful and long-lived. The legitimacy of the project served as the attack vector itself. As AI tools proliferate and developers seek productivity shortcuts, expect this pattern to repeat with greater frequency.


Sources


  • https://hackread.com/codex-ui-tool-secretly-stole-openai-refresh-tokens/

  • https://ground.news/article/openai-codex-tool-steals-durable-developer-tokens

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page