Developers reached for convenience. They installed a remote web UI for OpenAI’s Codex coding agent. Thousands did so every week. Now many face the quiet loss of long-lived authentication tokens that grant indefinite access to their accounts.
The incident centers on codexui-android, an npm package promoted as a legitimate interface for Codex. It racked up more than 27,000 weekly downloads. Active development masked its darker purpose. The associated GitHub repository stayed clean. Malicious code appeared only in published npm versions.
Supply Chain Deception Meets Persistent Credentials
Aikido Security spotted the exfiltration. Researcher Charlie Eriksen laid it out plainly. “There’s a new playbook in the supply chain threat landscape, where someone builds something genuinely useful, growing a real user base. But all while stealing credentials.” He added, “It’s a functional tool that developers actually wanted rather than a typosquat or throwaway package. That’s what makes it dangerous.”
The package, published under the npm account “friuns” belonging to Igor Levochkin, introduced the harmful code roughly a month after its initial release. From version 0.1.82 onward, every startup triggered the theft. The code read the entire contents of ~/.codex/auth.json or the equivalent under $CODEX_HOME. It grabbed access tokens, refresh tokens, ID tokens and account identifiers.
Then it XOR-encrypted the data with the key “anyclaw2026,” base64-encoded the result and POSTed it to sentry.anyclaw.store/startlog. The domain mimicked Sentry, the popular error-tracking service. Errors were suppressed. The operation ran silently on module load through a chunked file that executed before the main application code. And the refresh token? “The refresh_token doesn’t expire,” Eriksen said. “An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface — it’s persistent, silent access to whatever that account can do.”
OpenAI itself had warned users. In its documentation the company stated, “If you use file-based storage, treat ~/.codex/auth.json like a password: it contains access tokens. Don’t commit it, paste it into tickets, or share it in chat.” The warning proved prescient. Yet many developers stored credentials locally for convenience. The package exploited exactly that habit.
But the npm package formed only one vector. Aikido researchers discovered Android applications tied to an entity called “BrutalStrike” that bundled the same malicious logic. The app “OpenClaw Codex Claude AI Agent” boasts more than 50,000 downloads on Google Play. Another, simply called “Codex,” has surpassed 10,000. These apps use a PRoot sandbox to run a Termux-derived Linux environment. They pull the latest npm package without pinning the version. Users sign in within the app. The malicious code then ships the full OAuth blob to the same endpoint.
The domain anyclaw.store was registered on April 12, 2026. That date sits just two days after the first version of the npm package appeared. Levochkin’s X profile links to the domain. When Aikido reached out on GitHub, the author first claimed lost access to the npm account. The comment was edited overnight. The new statement said the team was “currently investigating this issue internally” and had “started removing the affected functionality and related data.” It asserted that no credential data was shared with third parties. Questions about why the code existed only in the npm build went unanswered.
This episode arrives months after another Codex vulnerability drew attention. In March, BeyondTrust Phantom Labs disclosed a command injection flaw. Security researcher Tyler Jespersen explained that the bug lived in the task creation HTTP request. Attackers could smuggle arbitrary commands through the GitHub branch name parameter. The payload executed inside Codex’s cloud container. It harvested the very GitHub User Access Token that Codex used for repository authentication.
“This can result in the theft of a victim’s GitHub User Access Token – the same token Codex uses to authenticate with GitHub,” Jespersen said. The flaw enabled lateral movement across codebases. OpenAI patched it in early February 2026 after responsible disclosure in December 2025. That incident targeted cloud execution and GitHub integration. The current supply-chain attack strikes at local credential storage and third-party tooling. Both reveal how quickly trust assumptions break when AI agents handle sensitive authentication.
So the pattern sharpens. Threat actors invest in credible projects. They grow audiences. Then they embed exfiltration. Eriksen noted the shift. “The pattern here is worth flagging is one where a threat actor invested real effort into building a credible, useful project to use as cover. The legitimacy is the attack vector. As AI tools proliferate and developers reach for productivity shortcuts, expect more of this.”
Enterprise security teams now confront blurred boundaries. Codex agents operate in containers, on desktops, inside IDEs and on mobile. Credentials flow between them. Refresh tokens persist. Local files hold production-level access. A single compromised convenience tool can expose workspaces, fine-tuned models, proprietary codebases and billing details.
Recent coverage echoes the urgency. Hackread reported on the 27,000-download scale and the author’s evasive responses just yesterday. Other outlets highlighted the Android delivery path and the need to treat exposed auth.json files as full credential breaches.
Remediation demands speed. Users should remove the package and any related Android apps. They must revoke Codex and OpenAI sessions from a clean device. Rotate credentials. Review audit logs for anomalous activity. Clear local auth state. Check package caches. The window for damage remains open as long as refresh tokens circulate.
OpenAI has not issued a direct public statement on this specific incident as of June 1. Its earlier warnings about the auth file show awareness of the risk. Yet the ecosystem’s reliance on local tokens and community-built interfaces creates openings. Developers prize speed. Attackers count on it.
The case underscores a larger truth. AI coding tools lower barriers. They also multiply surfaces. Every shortcut package, every sandboxed mobile wrapper, every cached credential becomes a potential pivot point. Security must match the pace of adoption. Otherwise persistent access becomes the default outcome. Short. Simple. Costly.
WebProNews is an iEntry Publication