Malicious Codex Tool Steals OpenAI Tokens from Developers
Severity: High (Score: 68.0)
Sources: Cybernews, Gbhackers, Letsdatascience, Cybersecuritynews, Aikido.Dev
Published: · Updated:
Keywords: codex, popular, tool, secretly, tokens, stealing, openai
Severity indicators: malware
Summary
A malicious npm package named 'codexui-android' has been discovered, which masquerades as a legitimate remote UI for OpenAI Codex. This tool, downloaded approximately 27,000 times weekly, has been silently exfiltrating users' authentication tokens for the past month. The malware operates by pulling additional malicious code post-installation, allowing it to evade detection during Google Play's security scans. The stolen tokens include long-lived refresh tokens, which can grant attackers indefinite access to user accounts. The threat actor designed the tool to appear functional and useful, making it particularly dangerous. The malicious code sends stolen data disguised as legitimate telemetry to an attacker-controlled server. The tool remains available for download on Google Play as of today, raising ongoing security concerns for developers using OpenAI Codex. Key Points: • The 'codexui-android' npm package has been stealing OpenAI authentication tokens since April 2026. • The malware exploits a legitimate-looking tool, accumulating 27,000 downloads weekly before detection. • Stolen refresh tokens provide attackers with long-term access to user accounts without expiration.
Detailed Analysis
**Impact** Approximately 27,000 weekly downloads of the codexui-android npm package indicate a large number of developers affected globally, primarily those using OpenAI Codex tools. The stolen data includes persistent refresh tokens, access tokens, ID tokens, and account IDs, enabling attackers to maintain indefinite, silent access to compromised developer accounts. This access could lead to unauthorized use of AI services and potential downstream impacts on software supply chains and developer operations. The malicious Android apps linked to the same author have tens of thousands of installs, extending the risk to mobile users. **Technical Details** The attack involves a supply chain compromise where the malicious code was injected only into the published npm package, not the GitHub source, evading source audits. The codexui-android package executes exfiltration logic at module load, sending tokens stored in ~/.codex/auth.json to a user-controlled server at sentry.anyclaw[.]store disguised as legitimate Sentry telemetry. The malicious payload is deployed via npm and embedded in Android apps that run Node.js in a sandboxed Linux environment, pulling the latest malicious package at runtime. Windows Defender detects the payload as Trojan:JS/CodeRat.DA!MTB. No CVEs or exploitation of software vulnerabilities were reported. **Recommended Response** Immediately remove and block the codexui-android npm package and associated Android apps from development environments and app stores. Monitor network traffic for connections to sentry.anyclaw[.]store and related domains. Revoke and rotate all OpenAI Codex refresh tokens and credentials potentially exposed. Deploy endpoint detection for Trojan:JS/CodeRat.DA!MTB and audit installed npm packages for unauthorized code. No patches are available; focus on token security and supply chain monitoring.
Source articles (5)
- Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens — Aikido.Dev · 2026-05-27
There's a new playbook in the supply chain threat landscape, where an someone builds something genuinely useful, growing a real user base. But all while stealing credentials. codexui-android is a remo… - OpenAI credential-stealing malware found hidden inside popular Codex tool — Cybernews · 2026-05-29
A popular Codex tool used by thousands of developers has been secretly stealing users’ login tokens for the past month – all by triggering the installation of a malicious npm package – and it’s still… - Fake Codex Remote UI Steals OpenAI Auth Tokens — Gbhackers · 2026-05-29
A newly uncovered supply chain attack is leveraging a legitimate-looking developer tool, codexui-android, to silently steal OpenAI Codex authentication tokens, highlighting a growing trend where threa… - Legitimate — Cybersecuritynews · 2026-05-29
A polished, fully functional npm package has been caught secretly stealing OpenAI Codex authentication tokens from developers who trusted it. The package, named codexui-android, presented itself as a… - Codex UI Package Steals OpenAI Authentication Tokens | Let's Data Science — Letsdatascience · 2026-05-29
A popular npm package, codexui-android , secretly exfiltrated OpenAI Codex authentication tokens, researchers report. According to Aikido Security researcher Charlie Eriksen, the package amassed 27,00…
Timeline
- 2026-04-27 — Malicious code introduced in codexui-android: All published versions of the npm package began containing hidden malicious code, exfiltrating authentication tokens.
- 2026-05-27 — Aikido Security reports on the threat: Aikido Security published findings detailing the malicious activity of codexui-android, highlighting its stealthy nature.
- 2026-05-29 — Cybernews article confirms ongoing threat: Cybernews reported that the malicious package is still available for download on Google Play, emphasizing the urgency of the situation.
Related entities
- Malware (Attack Type)
- Supply Chain Attack (Attack Type)
- CWE-200 - Exposure of Sensitive Information (Cwe)
- codex.app (Domain)
- CodeRat (Malware)
- OpenClaw Codex Claude AI Agent (Malware)
- T1003 - OS Credential Dumping (Mitre Attack)
- T1041 - Exfiltration Over C2 Channel (Mitre Attack)
- T1071 - Application Layer Protocol (Mitre Attack)
- T1195 - Supply Chain Compromise (Mitre Attack)
- T1567 - Exfiltration Over Web Service (Mitre Attack)
- Android (Platform)
- GitHub (Platform)
- Google Play (Platform)
- Linux (Platform)
- Play Store (Platform)
- Pnpm (Platform)
- Npm (Tool)
- OpenAI Codex (Tool)
- Codexui-android (Tool)
- Node.js (Tool)
- PRoot (Tool)
- Sentry (Tool)
- Termux (Tool)