A polished, fully functional npm package has been caught secretly stealing OpenAI Codex authentication tokens from developers who trusted it.
The package, named codexui-android, presented itself as a remote web UI for OpenAI Codex with no obvious signs of being malicious.
It built a genuine user base, amassed 27,000 weekly downloads, and maintained an active GitHub repository, all while quietly draining credentials in the background.
The threat had been active for roughly one month before detection. Every published version contained hidden code that fired the moment the tool launched, without any user interaction required.
The malicious logic ran before any application code, giving it full access to stored authentication files right from startup.
Aikido said in a report shared with Cyber Security News (CSN) that the malicious behavior after finding the published npm package contained extra code never committed to the GitHub repository.
This made it nearly invisible to standard code audits. Developers checking the source would find nothing suspicious, because the theft logic existed only inside the distributed package itself.
The exfiltration code targeted the auth.json file stored at the user’s Codex home directory. Once found, the contents were XOR-encrypted using the key “anyclaw2026,” base64-encoded, and silently sent to an attacker-controlled server.
The endpoint was named to resemble a legitimate Sentry error-reporting connection, making it easy to overlook during routine network monitoring.
What made this campaign alarming was how complete the theft was. The package grabbed the access token, refresh token, ID token, and account ID in one sweep. Since refresh tokens do not expire, an attacker holding one could silently impersonate the victim indefinitely.
Legitimate-Looking Codex Remote UI
The malicious file in the package, chunk-PUR7OUAG.js, executed at module load with no function call or condition needed to trigger it. \
The author left a comment in the source map stating the tokens would be sent “always,” independent of any other functionality. This was not accidental. It was deliberate, buried inside an otherwise working product.
The exfiltration endpoint, sentry.anyclaw[.]store/startlog, was named to blend with the package’s legitimate Sentry error-reporting traffic.
A developer watching network activity would see what looked like normal telemetry going out. That cover was entirely by design, giving the theft a disguise that required active investigation to uncover.
The threat actor invested real effort into building a credible, useful project to use as cover, and the legitimacy itself became the attack vector. As AI tools spread and developers reach for productivity shortcuts, more attacks following this pattern should be expected.
Android App Extends the Reach of the Attack
The npm package was not the only delivery channel. The same author published an Android app on Google Play called “OpenClaw Codex Claude AI Agent” (package ID: gptos.intelligence.assistant), and that app automatically pulled in the malicious npm build every time it launched.
A second Play Store app titled “Codex,” a paid productivity tool with over 10,000 installs, used the same codebase and exfiltration chain under a different app ID.
The Android app appeared clean on pre-publish scans and weighed only 26 MB. On first launch, it extracted a Linux environment into private storage, ran Node.js inside it, and installed the malicious package from npm without pinning a version.
This meant any device running the app would pull whatever the current malicious build was from the registry.
Once a user signed into Codex inside the app, the auth.json file was written into storage, which the package would then read and transmit to the attacker’s server.
Aikido’s investigation linked the publisher to the alias “BrutalStrike,” whose game of the same name has over five million Play Store downloads, raising serious concerns about the scale of exposure.
Developers who used codexui-android or either associated Android app should immediately revoke and rotate their OpenAI Codex credentials.
Monitoring outbound connections to sentry.anyclaw[.]store is strongly advised, as that is the confirmed exfiltration endpoint used throughout this campaign.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | sentry.anyclaw[.]store | Attacker-controlled exfiltration server endpoint |
| URL Path | /startlog | Exfiltration POST endpoint on the C2 server |
| File Name | chunk-PUR7OUAG.js | Malicious JavaScript chunk containing the exfiltration logic |
| File Name | dist-cli/index.js | Entry point of the malicious npm package |
| File Name | auth.json | Targeted credential file (stores Codex OAuth tokens) |
| npm Package | codexui-android | Malicious npm package delivering the token stealer |
| npm Package Version | codexui-android@0.1.82 | First version confirmed to contain the exfiltration code |
| Android App ID | gptos.intelligence.assistant | Package ID of “OpenClaw Codex Claude AI Agent” on Google Play |
| Android App | codex.app | Second Play Store app using the same malicious codebase |
| XOR Key | anyclaw2026 | Encryption key used to obfuscate stolen credential data |
| Kotlin Namespace | app.anyclaw.* | Namespace shared across both malicious Android APKs |
| Auth Callback | anyclaw://auth/codex-callback | Deep link registered in malicious Android manifests |
| File Name | rootfs.tar.zst.bin | Bundled Linux userland extracted on app first launch |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
