Cybersecurity researchers have identified a malicious supply chain campaign that targeted OpenAI Codex users through a legitimate-looking npm package and Android apps, with one package drawing more than 29,000 weekly downloads before the abuse was disclosed.
KEY FACTS
- Package The npm package codexui-android was presented as a remote web UI for OpenAI Codex.
- Payload The code was designed to read ~/.codex/auth.json and send tokens to a remote server.
- Data The captured details included access_token, refresh_token, id_token and account ID.
- Android apps Two Android apps linked to the same actor also carried the same exfiltration chain.
A technical analysis by Aikido Security said the malicious changes were introduced about a month after the npm package was first published, after an initial period of active development that appeared intended to build trust. The repository tied to the package was described as clean.
The report said the package copied Codex credentials from a local auth file into an attacker-controlled domain that posed as a monitoring service. It said the refresh token could allow long-term access because it does not expire.
The same disclosure said the abuse extended beyond npm. One Android app called OpenClaw Codex Claude AI Agent and another app named Codex were both linked to the same endpoint, and both used the package inside a sandboxed Linux environment on the device. The apps were said to have more than 50,000 downloads and more than 10,000 downloads, respectively.
The package author later said they were investigating the issue and had started removing the affected functionality, while also saying no credential data was shared with third parties. The domain used in the exfiltration was registered in April 2026, two days after the first version of the package was uploaded.
WHY IT MATTERS
The case shows how attackers can hide credential theft inside tools that look legitimate and already have users. For developers who store AI login data locally, the exposure can extend beyond a single app session and create persistent access risk if tokens are stolen.