Malicious Supply Chain Campaign Targets OpenAI Codex Developers via Fake UI Tool
Cybersecurity researchers have uncovered a sophisticated supply chain attack targeting developers using OpenAI Codex through a deceptive npm package and Android apps. The campaign, identified by Aikido Security, involves a legitimate-looking tool named codexui-android, which has amassed over 29,000 weekly downloads on npm and GitHub.
Unlike typical typosquatting attacks, the malicious code was embedded in a functional npm package under active development, with the GitHub repository appearing clean. Since its introduction about a month after the package’s initial release, the code has been silently exfiltrating OpenAI Codex authentication tokens to an attacker-controlled server (sentry.anyclaw[.]store), disguised as the legitimate error-tracking platform Sentry.
The stolen data includes access_token, refresh_token, id_token, and account ID all stored in plaintext at ~/.codex/auth.json. Notably, the refresh_token does not expire, granting attackers persistent, silent access to the victim’s account, including any associated capabilities.
The threat actor, linked to the npm account "friuns" (Igor Levochkin), also distributed the malicious code via Android apps. Two apps "OpenClaw Codex Claude AI Agent" (50,000+ downloads) and "Codex" (10,000+ downloads) run the npm package in a PRoot sandbox, extracting credentials and transmitting them to the same endpoint. The apps passed Google Play’s pre-publish scans, with the malicious functionality added post-installation.
When contacted, the package author initially claimed to have lost access to their npm account before later stating they were "investigating the issue internally" and removing the affected code. They denied sharing credentials with third parties but did not explain why the exfiltration code was added or why they needed access to Codex tokens. The domain anyclaw[.]store, linked to the author’s X profile, was registered on April 12, 2026, just two days after the first malicious npm package version was uploaded.
The attack reflects a broader trend of threat actors targeting AI developer tools to steal credentials and infiltrate software supply chains. Separately, researchers also revealed that deleted Google API keys remain active for up to 23 minutes, allowing attackers to exploit leaked keys for unauthorized access to user data, including Google Gemini files and cached conversations. While Google initially dismissed the issue, it later classified it as a P0 bug requiring immediate resolution.
The findings underscore the risks of credential revocation delays, which can be exploited to maintain access to cloud environments even after defenders assume keys have been invalidated.
Source: https://thehackernews.com/2026/06/openai-codex-authentication-tokens.html
OpenAI cybersecurity rating report: https://www.rankiteo.com/company/openai
"id": "OPE1780324345",
"linkid": "openai",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '29,000+ weekly npm downloads, '
'60,000+ Android app downloads',
'industry': 'Technology/Software Development',
'location': 'Global',
'name': 'OpenAI Codex Developers',
'type': 'Developers'},
{'customers_affected': '29,000+ weekly downloads',
'industry': 'Software Development',
'location': 'Global',
'name': 'npm (codexui-android package)',
'type': 'Package Registry'},
{'customers_affected': '60,000+ downloads',
'industry': 'Technology',
'location': 'Global',
'name': 'Google Play (OpenClaw Codex Claude AI Agent, '
'Codex apps)',
'type': 'App Store'}],
'attack_vector': 'Malicious npm package, Android apps',
'customer_advisories': 'Users of the affected Android apps should uninstall '
'them and revoke any associated OpenAI Codex tokens.',
'data_breach': {'data_encryption': 'No (plaintext storage at '
'~/.codex/auth.json)',
'data_exfiltration': 'Yes (to sentry.anyclaw[.]store)',
'personally_identifiable_information': 'Account IDs, '
'developer credentials',
'sensitivity_of_data': 'High (persistent access to developer '
'accounts)',
'type_of_data_compromised': 'Authentication tokens '
'(access_token, refresh_token, '
'id_token, account ID)'},
'description': 'Cybersecurity researchers have uncovered a sophisticated '
'supply chain attack targeting developers using OpenAI Codex '
'through a deceptive npm package and Android apps. The '
'campaign involves a legitimate-looking tool named '
'codexui-android, which has amassed over 29,000 weekly '
'downloads on npm and GitHub. The malicious code silently '
'exfiltrates OpenAI Codex authentication tokens to an '
'attacker-controlled server.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'OpenAI Codex and affected developers',
'data_compromised': 'OpenAI Codex authentication tokens '
'(access_token, refresh_token, id_token, '
'account ID)',
'identity_theft_risk': 'High (persistent access to developer '
'accounts)',
'operational_impact': 'Unauthorized access to developer accounts '
'and associated capabilities',
'systems_affected': 'Developer environments using OpenAI Codex, '
'Android devices with malicious apps'},
'initial_access_broker': {'backdoors_established': 'Persistent refresh_token '
'access',
'entry_point': 'Malicious npm package '
'(codexui-android), Android apps',
'high_value_targets': 'OpenAI Codex developers'},
'investigation_status': 'Ongoing (researchers disclosed findings; package '
'author removed malicious code)',
'lessons_learned': 'Risks of credential revocation delays, persistent access '
'via refresh tokens, and supply chain attacks targeting AI '
'developer tools.',
'motivation': 'Credential theft, persistent access to AI developer tools',
'post_incident_analysis': {'corrective_actions': ['Remove malicious code from '
'npm package and GitHub '
'repository',
'Revoke and rotate '
'compromised tokens',
'Improve detection of '
'supply chain attacks',
'Enhance authentication '
'token security policies'],
'root_causes': ['Lack of token expiration for '
'refresh_token',
'Malicious code embedded in '
'functional npm package',
'Post-installation malicious '
'behavior in Android apps',
'Delayed credential revocation']},
'recommendations': ['Revoke and rotate compromised OpenAI Codex tokens '
'immediately',
'Monitor for unauthorized access to developer accounts',
'Enhance scrutiny of npm packages and third-party '
'dependencies',
'Implement stricter authentication token expiration '
'policies',
'Improve detection of post-installation malicious '
'behavior in mobile apps'],
'references': [{'source': 'Aikido Security'},
{'source': 'npm (codexui-android package)'},
{'source': 'GitHub repository (codexui-android)'},
{'source': 'Google Play (OpenClaw Codex Claude AI Agent, Codex '
'apps)'}],
'response': {'communication_strategy': 'Researchers disclosed findings; '
'package author claimed to investigate '
'internally',
'containment_measures': 'Malicious code removed from npm package '
'and GitHub repository',
'remediation_measures': 'Package author removed affected code; '
'Google Play apps may have been removed '
'or updated',
'third_party_assistance': 'Aikido Security (researchers)'},
'stakeholder_advisories': 'Developers using OpenAI Codex should revoke and '
'rotate authentication tokens immediately.',
'threat_actor': 'Igor Levochkin (npm account: friuns)',
'title': 'Malicious Supply Chain Campaign Targets OpenAI Codex Developers via '
'Fake UI Tool',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Persistent refresh_token in OpenAI Codex '
'authentication'}