Cybersecurity researchers have disclosed details of a supply chain campaign targeting developers using OpenAI Codex through a legitimate looking remote web user interface package known as codexui-android. The package, promoted on GitHub and npm as a remote web UI for OpenAI Codex, reportedly gained significant popularity with more than 29,000 weekly downloads. Despite concerns raised by researchers, the package remains available for download on npm, raising alarms about the security risks associated with trusted software dependencies.
Unlike many supply chain attacks that rely on typo squatting or fake packages designed to deceive users, researchers found that malicious code had been inserted into a working and actively maintained npm package. According to findings shared by Aikido Security researcher Charlie Eriksen, the associated GitHub repository appears clean, making detection more difficult for developers who may rely on public repositories to verify legitimacy. Eriksen stated that for nearly a month, every use of the package quietly transmitted OpenAI Codex authentication tokens to an attacker controlled server. Researchers noted that the suspicious modifications were introduced around a month after the package first appeared on npm, likely to establish trust among users before enabling credential theft. The npm account linked to the package belongs to “friuns,” identified as Igor Levochkin.
Investigators found that the package contains code capable of extracting data from Codex’s local authentication file located at “~/.codex/auth.json” and sending it to a remote domain identified as “sentry.anyclaw[.]store,” which appears to imitate Sentry, a known application monitoring and error tracking platform. The stolen data reportedly includes highly sensitive authentication details such as access_token, refresh_token, id_token, and account ID. Researchers warned that the refresh token presents a major risk because it does not expire, potentially allowing threat actors to maintain silent and long term access to affected accounts. A stolen refresh token may provide ongoing access beyond a standard chat interface, raising concerns about broader misuse depending on account permissions. OpenAI documentation has previously warned users that authentication details stored in “~/.codex/auth.json” should be treated like passwords and must never be shared, pasted into chats, or committed to repositories.
Researchers also revealed that the npm package was not the only delivery method linked to the campaign. An Android application called OpenClaw Codex Claude AI Agent, identified by the package name “gptos.intelligence.assistant,” was observed running the npm package inside a PRoot sandbox environment while transmitting Codex credentials to the same remote server. The application, reportedly released by an entity named BrutalStrike, has surpassed 50,000 downloads. Security researchers explained that while the Android package itself appears relatively clean during Play pre publish scans, it extracts a Termux based Linux environment during its first launch and runs Node.js internally using PRoot. Since the npm package version is not pinned, devices automatically fetch the latest available version from npm, including malicious updates. Researchers further linked a second Android application named Codex, carrying the package name “codex.app” and exceeding 10,000 downloads, to the same credential theft chain. However, the remaining three applications offered by the same developer were not found to contain similar functionality.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
