If you or your developers run OpenAI Codex and installed the codexui-android npm package — or its companion Android apps — assume your Codex tokens are compromised and revoke them now. Aikido Security disclosed on June 1, 2026 that the package has been reading ~/.codex/auth.json and shipping the full OAuth blob to an attacker-controlled server on every invocation for roughly the past month.

What happened

codexui-android is advertised on GitHub and npm as a remote web UI for OpenAI Codex, pulling over 29,000 weekly downloads. This is not a typosquat or a throwaway dependency. It’s a functional, actively developed package, and its GitHub repository is clean — the malicious code lives only in the published npm tarball. The exfiltration logic was added roughly a month after the first release, a classic trust-building delay that let the package accumulate downloads before it turned hostile. The npm account behind it is friuns (GitHub friuns2).

Aikido researcher Charlie Eriksen put it bluntly: “for the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server.”

Technical details

When Codex’s CLI, IDE extension, or app authenticates via ChatGPT or an API key, it caches the session in a plaintext file at ~/.codex/auth.json. The malicious code reads that file and POSTs its contents to sentry.anyclaw[.]store/startlog — a domain dressed up to look like Sentry, the legitimate error-tracking SaaS, to blend into allowlisted telemetry traffic. The captured fields are access_token, refresh_token, id_token, and the account ID.

The refresh_token is the dangerous part: it does not expire. As Eriksen notes, an attacker holding it “can silently impersonate you indefinitely… persistent, silent access to whatever that account can do.” Rotating an API key or letting an access token lapse does not close this door.

Timeline corroborates intent: the first npm version (0.1.72) landed around April 10, 2026; the exfiltration endpoint domain anyclaw[.]store was registered April 12 — two days later. The credential theft has been present since [email protected].

The Android vector

The npm package is only one delivery channel. The same exfiltration chain ships inside Android apps from a developer calling itself BrutalStrike: “OpenClaw Codex Claude AI Agent” (gptos.intelligence.assistant, 50,000+ downloads) and “Codex” (codex.app, 10,000+ downloads). The 26 MB APK passes Play’s pre-publish scan because it carries no obvious payload — on first run it unpacks a Termux-derived Linux userland and runs Node.js under PRoot, then pulls whatever version of codexui-android is currently on npm (no version pinning). When the in-app Codex sign-in writes auth.json into the sandbox, the package reads it back out and ships the OAuth blob to the same endpoint.

What to do right now

  • Revoke the OAuth session, don’t just rotate keys. Sign out of Codex everywhere and invalidate active sessions/refresh tokens from your ChatGPT account settings; rotate any API keys cached on affected machines. Because the stolen refresh_token never expires, key rotation alone is insufficient.
  • Remove the package and apps. Uninstall codexui-android from any project and CI image, and remove the BrutalStrike Android apps from any device used to sign in to Codex.
  • Block the IOC. Deny egress to sentry.anyclaw[.]store and alert on it in proxy/DNS logs; review historical traffic to gauge exposure.
  • Audit your dependency tree and lockfiles for codexui-android and pin/verify anything that wraps AI tooling.
  • Treat ~/.codex/auth.json as a secret. Per OpenAI’s own guidance: don’t commit it, paste it into tickets, or share it in chat.

Why it matters

This is the AI-developer-tooling supply chain trend in miniature: a legitimate-looking tool, a clean public repo, a poisoned published artifact, and an exfil channel masquerading as routine telemetry. It lands alongside fresh Aikido findings that deleted Google API keys stay live for up to 23 minutes (median ~16) and deleted AWS keys for a few seconds — revocation latency that attackers actively exploit while defenders assume credentials are dead. The takeaway for infrastructure teams: a stolen, non-expiring token is a standing breach, and the artifact you npm install is now part of your trust boundary whether or not its source looks clean.

Sources