A sophisticated Codex token theft campaign has exposed developers to credential compromise through a malicious npm package and Android applications disguised as legitimate productivity tools.
The operation centered around an npm package called codexui-android, which presented itself as a remote web interface for OpenAI Codex. However, hidden code inside the published package silently collected authentication tokens from users immediately after launch.
Researchers discovered the malicious activity after noticing differences between the publicly available GitHub source code and the package distributed through npm. Meanwhile, the project continued gaining traction, reaching nearly 27,000 weekly downloads before detection.
Hidden Credential Theft Embedded in npm Package
The malicious behavior was carefully concealed inside the compiled package rather than the visible GitHub repository. As a result, developers auditing the open-source code would not see the hidden credential-stealing logic.
The malware targeted the auth.json file stored in the local Codex configuration directory. Once located, the data was XOR-encrypted using the key anyclaw2026, then base64-encoded before being transmitted to an attacker-controlled endpoint.
Investigators found that the exfiltration server used the domain sentry.anyclaw[.]store, intentionally designed to resemble legitimate Sentry telemetry traffic. Consequently, outbound connections could easily blend into routine monitoring activity.
The stolen data reportedly included:
- Access tokens
- Refresh tokens
- ID tokens
- OpenAI account identifiers
Because refresh tokens remain valid for long periods, attackers could potentially maintain persistent access to victim accounts without immediate detection.
Android Apps Expanded the Attack Surface
The Codex token theft operation extended beyond npm packages. Researchers also linked the same threat actor to Android applications published on Google Play.
One app, named “OpenClaw Codex Claude AI Agent,” automatically downloaded the malicious npm package during startup. Another application, simply called “Codex,” reportedly used the same credential exfiltration chain.
Instead of embedding obvious malware directly inside the APK, the applications extracted a lightweight Linux environment on first launch. They then executed Node.js processes that silently installed the malicious npm dependency from the registry.
This technique helped the apps avoid pre-publication detection checks while maintaining flexibility to update the malicious payload remotely.
Attackers Built Trust Before Launching the Theft
What makes this campaign particularly dangerous is the effort invested in legitimacy. The attackers maintained active repositories, functional applications, and realistic branding to gain developer trust over time.
Security researchers also connected the publisher alias “BrutalStrike” to other widely downloaded mobile applications, raising concerns about broader exposure across the Android ecosystem.
Security Recommendations for Developers
Developers who installed codexui-android or related Android applications should immediately revoke and rotate all OpenAI Codex credentials.
Security teams are also advised to:
- Monitor traffic to
sentry.anyclaw[.]store - Audit systems for unauthorized Node.js activity
- Review local storage for suspicious
auth.jsonaccess - Block malicious domains at firewall and DNS levels
The growing abuse of trusted developer ecosystems highlights how modern supply chain attacks increasingly rely on credibility instead of obvious malware. Consequently, the Codex token theft campaign serves as another warning that even polished and functional developer tools can hide serious security risks.
No Comment! Be the first one.