Security researchers have uncovered a supply chain attack targeting developers utilizing OpenAI Codex through a seemingly legitimate npm package named codexui-android. This package, promoted as a remote web UI for OpenAI Codex, has amassed over 29,000 weekly downloads and remains available on the npm repository.
Unlike typical typosquatting attacks, this malicious code is embedded within a fully functional npm package that has been actively developed. Notably, the associated GitHub repository appears clean, adding to the deception.
According to Aikido Security researcher Charlie Eriksen, “And for the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server.” The malicious code was introduced approximately a month after the package’s initial publication, likely to build user trust and expand its reach. The npm account linked to this package is “friuns” (also known as Igor Levochkin).
The compromised package extracts contents from Codex’s ~/.codex/auth.json file and transmits them to a remote server (sentry.anyclaw[.]store) masquerading as Sentry, a legitimate application monitoring platform. The stolen data includes access tokens, refresh tokens, ID tokens, and account IDs. Eriksen emphasized the severity, noting that the refresh token doesn’t expire, allowing an attacker to impersonate the user indefinitely.
OpenAI advises treating the ~/.codex/auth.json file like a password, warning users not to commit, paste, or share it, as it contains sensitive access tokens.
Further investigation revealed that the npm package isn’t the sole vector for this attack. An Android application named OpenClaw Codex Claude AI Agent (package name: gptos.intelligence.assistant) runs the npm package within its PRoot sandbox and sends Codex credentials to the same malicious endpoint. This app, developed by an entity named “BrutalStrike,” has over 50,000 downloads. A second app from the same developer, Codex (package name: codex.app), with over 10,000 downloads, exhibits similar behavior.
Upon contacting the package author on GitHub, Aikido reported that the author initially claimed to have lost access to their npm account. Later, they stated they were investigating the issue internally and had begun removing the affected functionality and related data. The author also claimed that no credential data was shared with third parties but did not explain why the code was inserted into the npm package or why access to Codex tokens was necessary. Notably, the author’s X profile links to the domain anyclaw[.]store, which was registered shortly after the first version of the npm package was uploaded.
This incident underscores the growing trend of threat actors targeting AI developer tools and workflows to steal credentials and infiltrate the software supply chain. Developers are urged to exercise caution when integrating third-party packages and to monitor for any suspicious activity within their development environments.
Source: The Hacker News
