{"slug": "a-popular-openai-codex-tool-with-29000-weekly-downloads-has-been-quietly-tokens", "title": "A popular OpenAI Codex tool with 29,000 weekly downloads has been quietly stealing developer tokens for a month", "summary": "A popular npm package for OpenAI Codex with 29,000 weekly downloads has been stealing developer authentication tokens for a month. The same credential-theft chain also ran through two Android apps with over 60,000 combined downloads. The stolen credentials include access tokens, refresh tokens, ID tokens, and account IDs, allowing attackers to impersonate developers indefinitely.", "body_md": "#### TL;DR\n\nA popular npm package for OpenAI Codex with 29,000 weekly downloads has been stealing developer authentication tokens for a month. The same credential-theft chain also ran through two Android apps with over 60,000 combined downloads.\n\nThe codexui-android npm package kept its GitHub repository clean while silently exfiltrating authentication credentials via a server disguised as Sentry\n\nA popular npm package for OpenAI Codex with 29,000 weekly downloads has been stealing developer authentication tokens for a month. The same credential-theft chain also ran through two Android apps with over 60,000 combined downloads.## TL;DR\n\nThe npm package looked legitimate. It had an active GitHub repository, steady development history, and roughly 29,000 weekly downloads. For developers using [OpenAI Codex](https://www.aikido.dev/blog/codex-remote-ui-steals-ai-tokens), it offered exactly what it advertised: a remote web UI for the AI coding tool.\n\nBut for the past month, every invocation of codexui-android has also been silently reading the contents of the user’s Codex authentication file and shipping it to an attacker-controlled server. The stolen data includes access tokens, refresh tokens, ID tokens, and account IDs, everything needed to impersonate the developer indefinitely.\n\n“*The refresh_token doesn’t expire*,” Aikido Security researcher Charlie Eriksen [wrote](https://www.aikido.dev/blog/codex-remote-ui-steals-ai-tokens). “*An attacker holding it can silently impersonate you indefinitely*.”\n\nThe attack was unusually sophisticated for an npm supply chain compromise. Unlike typical [supply chain attacks](https://thenextweb.com/news/european-commission-breach-trivy-supply-chain) that rely on typosquatting or disposable packages, codexui-android was a functional tool under active development. Its [GitHub repository remained clean](https://github.com/friuns2/codex-mobile/issues/198). The malicious code existed only in the npm build.\n\nThe package extracts the contents of Codex’s `~/.codex/auth.json`\n\nfile, a plaintext credential cache created whenever a user logs in via the Codex app, CLI, or IDE extension. It then sends those credentials to `sentry.anyclaw[.]store`\n\n, a server name chosen to mimic [Sentry](https://sentry.io/), the legitimate error-tracking platform.\n\nThe nefarious functionality was introduced approximately a month after the package was first published, a common tactic for building user trust before deploying a payload. [WHOIS records](https://whois.domaintools.com/anyclaw.store) show the exfiltration domain was registered on 12 April 2026, just two days after the first package version (0.1.72) was uploaded to npm. The malicious code appeared from version 0.1.82 onward.\n\nThe npm package was not the only delivery vector. Aikido found that an Android application called [OpenClaw Codex Claude AI Agent](https://play.google.com/store/apps/details?id=gptos.intelligence.assistant), published by a developer named BrutalStrike, was running the same npm package inside a PRoot sandbox on users’ devices. The app had accumulated more than 50,000 downloads on [Google Play](https://thenextweb.com/news/openai-chatgpt-advanced-security-yubico-passkeys).\n\nA second BrutalStrike app, simply called Codex, had over 10,000 downloads and contained the same exfiltration chain. Because neither app pinned a specific npm package version, they automatically pulled whatever was currently published, meaning the malicious code was delivered to mobile users the moment it went live.\n\nThe combined attack surface, roughly 29,000 weekly npm downloads plus more than 60,000 mobile installations, makes this one of the more significant credential-theft campaigns to target the AI developer tooling ecosystem.\n\nThe npm account behind the package belongs to “*friuns*,” identified by Aikido as Igor Levochkin. When [confronted on GitHub](https://github.com/friuns2/codex-mobile/issues/198), the author initially claimed to have lost access to the npm account, then edited the response to say they were “*currently investigating this issue internally*.”\n\nLevochkin said no credential data was shared with third parties, but did not explain why the exfiltration code was inserted only into the npm build, or why access to users’ Codex tokens was needed in the first place. The [X profile](https://x.com/friuns2) linked to the account includes the domain anyclaw[.]store, the same domain to which the stolen tokens were sent.\n\nThe attack arrives in a period of escalating threats to [AI developer tooling](https://thenextweb.com/news/ai-agents-hijacked-prompt-injection-bug-bounties-no-cve). Last month, a [poisoned VS Code extension breached GitHub’s own internal repositories](https://thenextweb.com/news/github-confirms-hackers-stole-thousands-of-internal-code-repositories-after-employee-installed-a-poisoned-vs-code-extension), exfiltrating 3,800 repos after an employee installed the malicious package. That attack, attributed to the group TeamPCP, harvested credentials from 1Password vaults, Claude Code configurations, and AWS.\n\nThe lesson from both incidents is the same. As AI coding tools become essential infrastructure, the authentication tokens they generate, and often store in plaintext, are becoming high-value targets. OpenAI’s own [documentation](https://developers.openai.com/codex/auth) warns developers to treat `~/.codex/auth.json`\n\nlike a password. The codexui-android campaign is a demonstration of what happens when that advice goes unheeded, and when the tools developers trust are designed to exploit that trust.\n\nAikido has also [separately reported](https://thenextweb.com/news/openai-gpt-5-4-cyber-trusted-access-defenders-mythos) that deleted Google API keys remain live for up to 23 minutes after revocation, a window attackers can exploit to access user data and Gemini conversations. Google has since classified the issue as a P0 bug. The finding underscores a broader problem: credential revocation in cloud environments is rarely as instant as defenders assume.\n\nGet the most important tech news in your inbox each week.", "url": "https://wpnews.pro/news/a-popular-openai-codex-tool-with-29000-weekly-downloads-has-been-quietly-tokens", "canonical_source": "https://thenextweb.com/news/a-popular-openai-codex-tool-with-29000-weekly-downloads-has-been-quietly-stealing-developer-tokens-for-a-month", "published_at": "2026-06-03 20:54:34+00:00", "updated_at": "2026-06-03 22:08:32.848140+00:00", "lang": "en", "topics": ["ai-tools", "ai-safety", "ai-products", "ai-infrastructure"], "entities": ["OpenAI Codex", "Aikido Security", "Charlie Eriksen", "codexui-android"], "alternates": {"html": "https://wpnews.pro/news/a-popular-openai-codex-tool-with-29000-weekly-downloads-has-been-quietly-tokens", "markdown": "https://wpnews.pro/news/a-popular-openai-codex-tool-with-29000-weekly-downloads-has-been-quietly-tokens.md", "text": "https://wpnews.pro/news/a-popular-openai-codex-tool-with-29000-weekly-downloads-has-been-quietly-tokens.txt", "jsonld": "https://wpnews.pro/news/a-popular-openai-codex-tool-with-29000-weekly-downloads-has-been-quietly-tokens.jsonld"}}