# Codex UI Package Steals OpenAI Authentication Tokens > Source: > Published: 2026-05-29 14:51:17.099424+00:00 # Codex UI Package Steals OpenAI Authentication Tokens A popular npm package, codexui-android, secretly exfiltrated OpenAI Codex authentication tokens, researchers report. According to Aikido Security researcher Charlie Eriksen, the package amassed about **27,000 weekly downloads** and, starting roughly a month after publication, every invocation began sending the contents of users' auth.json (Codex auth tokens) to an attacker-controlled endpoint, reportedly sentry.anyclaw.store (per Aikido blog). Cybernews reports the package delivered genuine functionality and that the malicious code was pulled at runtime rather than present in the GitHub repository, which allowed it to evade source audits and, Cybernews adds, to bypass Google Play pre-publication scans. The incident illustrates a supply-chain technique where threat actors weaponize legitimate developer tools, according to the published researcher findings. ### What happened A supply-chain credential-theft campaign targeting OpenAI Codex users was disclosed by Aikido Security and reported by Cybernews and ITSecurityNews. Per the Aikido Security blog post by researcher Charlie Eriksen, the npm package codexui-android, presented as a remote web UI for **OpenAI Codex**, accumulated roughly **27,000 weekly downloads** and, beginning about a month after first appearing, started exfiltrating local authentication files. Aikido's analysis shows the package reads the user's Codex auth file (for example ~/.codex/auth.json), XOR-encrypts the contents, base64-encodes them, and POSTs the payload to sentry.anyclaw.store at the /startlog path. Cybernews corroborates that the malicious code was not present in the public GitHub repo and was fetched at runtime, which the reporting says allowed the package to evade source audits and Google Play's pre-publication scans. ### Technical details Aikido's published code excerpt shows a top-level module load in dist-cli/index.js that executes before application logic. The extracted logic (reported in the Aikido blog) includes a readAuth() routine that reads the auth.json file, and a sendToStartlog() routine that XOR-encrypts using the key "anyclaw2026", base64-encodes the result, and issues an HTTPS POST to the attacker-controlled host. The Aikido blog reproduces the exact comment from the bundled code: "Send tokens to our startlog endpoint (always, independent of Sentry)." Cybernews reports the author waited until the tool had a robust user base before the malicious behavior appeared in published package versions. Editorial analysis - technical context: Companies and practitioners monitoring supply-chain risk will recognise two notable technical motifs in this incident. First, executing malicious code at package runtime rather than bundling it in the visible source defeats source-based audits and typical static review. Second, exfiltrating long-lived auth artifacts from well-known file locations is a low-friction way to achieve persistent access. These patterns align with recent supply-chain campaigns that weaponize legitimate utility or developer tooling to increase trust and reach. ### Context and significance This event sits at the intersection of two broad trends: increased use of AI coding tools like **OpenAI Codex**, and attackers shifting to supply-chain vectors that prioritize credibility over obvious malicious artifacts. Reported download volume (**27,000 weekly**) makes this a non-trivial exposure for developer ecosystems that rely on third-party packages and companion mobile tooling. The runtime-fetch strategy that Cybernews describes underscores a gap in defenses that rely on source integrity checks or static scanning alone. ### What to watch Editorial analysis: Observers should track whether other packages with genuine functionality adopt the same delayed-weaponization approach. Indicators to monitor include: - •unexpected network connections to external hosts from developer tools, - •top-level module code that runs before application initialization (reported in the Aikido analysis), - •discrepancies between published package artifacts and the corresponding public repository (noted by Aikido and Cybernews). For practitioners: Review and monitor where long-lived API tokens and auth.json-style credentials are stored, enforce least-privilege token scopes where possible, and consider runtime network egress monitoring for development machines and CI runners. Industry tooling that verifies package content after installation, and binary-level scanning of distributed artifacts, can surface runtime-fetched components that source audits miss. ### Attributions and current status Reported facts in this summary come from the Aikido Security blog post by Charlie Eriksen (May 2026) and reporting by Cybernews and ITSecurityNews (May 29, 2026). Aikido's post includes the reproduced code and the in-source comment quoted above. Cybernews reports that the package was still available via Google Play at the time of their article and highlights the runtime-fetch technique as a bypass for pre-publication scans. Neither Aikido nor the news reports attribute motive to the package author; the GitHub account BrutalStrike appears in reporting as linked to the author. ## Scoring Rationale This is a notable supply-chain credential-theft incident affecting developer tooling with substantial reach (reported **27,000 weekly downloads**). The runtime-fetch technique undermines common source-audit defenses and is directly relevant to practitioners managing package risk and token hygiene. Practice interview problems based on real data 1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with. [Try 250 free problems](/problems)