Malicious Codex Remote UI Steals OpenAI Authentication Tokens
A seemingly legitimate npm package named `codexui-android` has been discovered covertly exfiltrating OpenAI Codex authentication tokens from unsuspecting developers. This package, which presented itself as a remote web interface for OpenAI Codex, amassed a significant user base with 27,000 weekly downloads and maintained an active GitHub repository, all while operating maliciously in the background.
Stealthy Operation and Detection
The malicious activity of `codexui-android` went undetected for approximately one month. Each version of the package contained concealed code that executed upon launch without requiring user interaction. This preemptive execution granted the malicious code access to stored authentication files immediately upon startup.
Security researchers at Aikido identified the nefarious behavior after noticing discrepancies between the npm package and its corresponding GitHub repository. The published npm package included additional code absent from the GitHub source, effectively evading standard code audits. Developers reviewing the repository would find no indications of malicious intent, as the credential-stealing logic resided solely within the distributed package.
Mechanism of Credential Theft
The exfiltration process targeted the `auth.json` file located in the user’s Codex home directory. The contents of this file were XOR-encrypted using the key anyclaw2026, base64-encoded, and transmitted to a server controlled by the attacker. The endpoint, named to mimic a legitimate Sentry error-reporting connection, was designed to blend seamlessly with normal network traffic, making detection challenging during routine monitoring.
Alarmingly, the package extracted comprehensive authentication details, including the access token, refresh token, ID token, and account ID. Given that refresh tokens do not expire, possession of one allows an attacker to impersonate the victim indefinitely.
Technical Execution
Within the package, a file named `chunk-PUR7OUAG.js` was responsible for executing the malicious code upon module load, without any function call or condition to trigger it. A comment in the source code indicated that tokens would be sent always, highlighting the deliberate nature of the attack.
The exfiltration endpoint, `sentry.anyclaw[.]store/startlog`, was crafted to resemble legitimate Sentry error-reporting traffic. This design choice ensured that network activity appeared normal, thereby evading detection.
Extended Reach Through Android Application
The threat actor expanded the attack vector by publishing an Android application on Google Play titled OpenClaw Codex Claude AI Agent (package ID: gptos.intelligence.assistant). This app automatically integrated the malicious npm package upon launch, further extending the reach of the credential-stealing operation.
Implications and Recommendations
This incident underscores the growing sophistication of supply chain attacks targeting developers. By creating a credible and functional project, the attacker exploited the trust placed in widely used tools and platforms. As AI tools become more prevalent, it is anticipated that similar attacks will increase.
To mitigate such risks, developers are advised to:
– Conduct Thorough Code Reviews: Regularly audit both source code and distributed packages for discrepancies.
– Monitor Network Traffic: Implement monitoring solutions to detect unusual outbound connections, especially to unfamiliar endpoints.
– Verify Package Integrity: Utilize tools that can compare the contents of npm packages with their corresponding source repositories to identify unauthorized code additions.
– Stay Informed: Keep abreast of emerging threats and vulnerabilities within the developer ecosystem to proactively address potential risks.
By adopting these practices, developers can enhance their security posture and reduce the likelihood of falling victim to similar supply chain attacks.
