Malicious npm Package 'codexui-android' Steals OpenAI Codex Authentication Tokens, Linked to Android Apps on Google Play
A polished npm package named codexui-android with 27,000 weekly downloads secretly exfiltrated OpenAI Codex authentication tokens, and the same attacker published Android apps on Google Play that pulled the malicious package.
A fully functional npm package that presented itself as a remote web UI for OpenAI Codex has been caught stealing authentication tokens from developers who trusted it. The package, named codexui-android, amassed 27,000 weekly downloads and maintained an active GitHub repository, all while quietly draining credentials in the background. The threat had been active for roughly one month before detection, according to a report from Aikido shared with Cyber Security News.
The malicious logic ran before any application code, giving it full access to stored authentication files right from startup. Every published version contained hidden code that fired the moment the tool launched, without any user interaction required. Aikido found that the malicious behavior existed only inside the distributed package itself, never committed to the GitHub repository, making it nearly invisible to standard code audits.
The exfiltration code targeted the auth.json file stored at the user's Codex home directory. Once found, the contents were XOR-encrypted using the key 'anyclaw2026,' base64-encoded, and silently sent to an attacker-controlled server at sentry.anyclaw[.]store/startlog. The endpoint was named to resemble a legitimate Sentry error-reporting connection, making it easy to overlook during routine network monitoring.
What made this campaign alarming was how complete the theft was. The package grabbed the access token, refresh token, ID token, and account ID in one sweep. Since refresh tokens do not expire, an attacker holding one could silently impersonate the victim indefinitely. The malicious file in the package, chunk-PUR7OUAG.js, executed at module load with no function call or condition needed to trigger it. The author left a comment in the source map stating the tokens would be sent 'always,' independent of any other functionality.
The npm package was not the only delivery channel. The same author published an Android app on Google Play called 'OpenClaw Codex Claude AI Agent' (package ID: gptos.intelligence.assistant), and that app automatically pulled in the malicious npm build every time it launched. A second Play Store app titled 'Codex,' a paid productivity tool with over 10,000 installs, used the same codebase and exfiltration chain under a different app ID.
The Android app appeared clean on pre-publish scans and weighed only 26 MB. On first launch, it extracted a Linux environment into private storage, ran Node.js inside it, and installed the malicious package from npm without pinning a version. This meant any device running the app would pull whatever the current malicious build was from the registry. Once a user signed into Codex inside the app, the auth.json file was written into storage, which the package would then read and transmit to the attacker's server.
Aikido's investigation linked the publisher to the alias 'BrutalStrike,' whose game of the same name has over five million Play Store downloads, raising serious concerns about the scale of exposure. Developers who used codexui-android or either associated Android app should immediately revoke and rotate their OpenAI Codex credentials. Monitoring outbound connections to sentry.anyclaw[.]store is strongly advised, as that is the confirmed exfiltration endpoint used throughout this campaign.