27,000-Download Codex UI Tool Secretly Stole OpenAI Refresh Tokens

Summary

A malicious npm package, Codex UI, was found exfiltrating OpenAI refresh tokens. The package, downloaded 27,000 times weekly, used a hidden script to steal access tokens, ID tokens, account IDs, and refresh tokens, which attackers used to impersonate victims. The malicious code was hidden from standard source code audits.

Full text

Security Artificial Intelligence27,000-Download Codex UI Tool Secretly Stole OpenAI Refresh Tokens A malicious Codex UI npm package with 27,000 weekly downloads was caught exfiltrating OpenAI refresh tokens, exposing developers to account takeover risks. byDeeba AhmedMay 31, 20262 minute read A popular software tool used by thousands of mobile developers has been found stealing authentication tokens. On 27 May 2026, Aikido Security shared research with Hackread.com about a malicious npm package called codexui-android. For context, it is a highly popular remote web user interface for OpenAI Codex, an artificial intelligence (AI) model that writes code, gathering roughly 27,000 weekly downloads. Aikido Security’s researcher, Charlie Eriksen, discovered that this package ran a supply chain attack last month to steal user data. Hiding in Plain Sight Interestingly, the attackers didn’t use standard tricks like typosquatting or account hijacking; instead, they developed a genuinely useful tool. This was most probably done to form a real user base before weaponising it. Moreover, the malicious code doesn’t exist in the public GitHub repository, and only appears in the published npm package. This means a standard source code audit would certainly miss it. The attack triggers immediately at module load. The very first line of dist-cli/index.js imports a hidden script named chunk-PUR7OUAG.js. It quickly checks for local credentials. If found, a data exfiltration routine is launched to steal access_token, id_token, account ID, and the refresh_token from the auth.json file. More problematic is that a refresh_token doesn’t expire; hence, the attackers can impersonate the victim indefinitely. To hide the network traffic, the code sends the stolen data to a server endpoint named sentry.anyclawstore. This was chosen intentionally to blend in with normal Sentry error-reporting telemetry. Inside the hidden source map, the author even left a clear comment: “Send tokens to our startlog endpoint (always)”. Targeting Mobile Devices Researchers noted in the blog post that this threat actor also targets Android mobile devices. The author published apps on the Google Play Store under the developer identity BrutalStrike, who also owns a legitimate mobile game with over 5 million downloads. Two specific apps, a paid productivity app called codex.app and another called “OpenClaw Codex Claude AI Agent”, contain the same malicious infrastructure. Source: Aikido Security The Android apps easily pass Google’s pre-publish security scans because the initial 26 MB APK file looks completely clean. Once installed, the app extracts a Termux-derived Linux userland into private storage and launches Node.js using PRoot. It then runs a command to install the latest version of the npm package: pnpm add codexui-android@latest. The exfiltration has been active since version [email protected]. When Eriksen confronted the author, they briefly posted a comment claiming they lost access to their npm account. They deleted it shortly after, replacing it with a corporate statement denying any credential theft. As of today, the malicious software package and the apps are still live online. “AI developer tooling is becoming a high-value target precisely because the tokens are powerful and long-lived… a threat actor invested real effort into building a credible, useful project to use as cover. The legitimacy is the attack vector. As AI tools proliferate and developers reach for productivity shortcuts, expect more of this,” researchers concluded. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AndroidCodex UICybersecurityGitHibNPMOpenAIOpenAI CodexScamTyposquatting Leave a Reply Cancel reply View Comments (0) Related Posts Security Malware Malware hits Freelancers at Fiverr and Freelancer.com Unfortunately, unsuspected freelancers are falling for the malware scam. Fiverr and Freelancer.com are two of the most popular… byWaqas Security Cyber Attacks Cyber Crime Privacy The Showdown: Hackers vs. Accountants A showdown between hackers and accountants is unlikely to have the same action-packed appeal as the latest summer… byWaqas Security Malware New malware targets Discord users to steal personal data Lately, they have been in trouble due to their Microsoft Windows app being infected with malware. Since it is built using an opensource framework named Electron. bySudais Asif Read More Security Cyber Attacks Year-Long Malware Campaign Exploits NPM to Attack Roblox Developers A year-long malware campaign targets Roblox developers using fake NPM packages mimicking “noblox.js” to steal data. Despite takedowns,… byWaqas

Indicators of Compromise

• malware — codexui-android

Entities