A preferred software program device utilized by 1000’s of cellular builders has been discovered stealing authentication tokens. On 27 Might 2026, Aikido Safety shared analysis with Hackread.com a couple of malicious npm package deal referred to as codexui-android.
For context, it’s a extremely common distant internet consumer interface for OpenAI Codex, a synthetic intelligence (AI) mannequin that writes code, gathering roughly 27,000 weekly downloads.
Aikido Safety’s researcher, Charlie Eriksen, found that this package deal ran a provide chain assault final month to steal consumer knowledge.
Hiding in Plain Sight
Apparently, the attackers didn’t use normal tips like typosquatting or account hijacking; as an alternative, they developed a genuinely great tool. This was likely completed to type an actual consumer base earlier than weaponising it. Furthermore, the malicious code doesn’t exist within the public GitHub repository, and solely seems within the revealed npm package deal. This implies a normal supply code audit will surely miss it.
The assault triggers instantly at module load. The very first line of dist-cli/index.js imports a hidden script named chunk-PUR7OUAG.js. It rapidly checks for native credentials. If discovered, a knowledge exfiltration routine is launched to steal access_token, id_token, account ID, and the refresh_token from the auth.json file. Extra problematic is {that a} refresh_token doesn’t expire; therefore, the attackers can impersonate the sufferer indefinitely.
To cover the community site visitors, the code sends the stolen knowledge to a server endpoint named sentry.anyclawstore. This was chosen deliberately to mix in with regular Sentry error-reporting telemetry. Contained in the hidden supply map, the writer even left a transparent remark: “Ship tokens to our startlog endpoint (at all times)”.
Concentrating on Cellular Gadgets
Researchers famous within the weblog put up that this menace actor additionally targets Android cellular units. The writer revealed apps on the Google Play Retailer beneath the developer id BrutalStrike, who additionally owns a professional cellular recreation with over 5 million downloads.
Two particular apps, a paid productiveness app referred to as codex.app and one other referred to as “OpenClaw Codex Claude AI Agent”, comprise the identical malicious infrastructure.
The Android apps simply move Google’s pre-publish safety scans as a result of the preliminary 26 MB APK file seems utterly clear. As soon as put in, the app extracts a Termux-derived Linux userland into personal storage and launches Node.js utilizing PRoot. It then runs a command to put in the most recent model of the npm package deal: pnpm add codexui-android@newest. The exfiltration has been lively since model [email protected].
When Eriksen confronted the writer, they briefly posted a remark claiming they misplaced entry to their npm account. They deleted it shortly after, changing it with a company assertion denying any credential theft.
As of as we speak, the malicious software program package deal and the apps are nonetheless dwell on-line.
“AI developer tooling is changing into a high-value goal exactly as a result of the tokens are highly effective and long-lived… a menace actor invested actual effort into constructing a reputable, helpful venture to make use of as cowl. The legitimacy is the assault vector. As AI instruments proliferate and builders attain for productiveness shortcuts, anticipate extra of this,” researchers concluded.
