codexui-android exfiltrates OpenAI Codex refresh tokens for ~7 weeks before Aikido disclosure
Aikido disclosed on 2026-06-02 that every codexui-android npm version from 0.1.82 (2026-04-13) through 0.1.125 silently exfiltrates the user's OpenAI Codex auth.json — access, refresh, and ID tokens — to sentry.anyclaw[.]store/startlog. The malicious code never appeared in the package's GitHub repository, and a companion Android app (50k+ installs) ships the same stealer.
- Detected by
- Aikido Security
- Also known as
- OpenClaw Codex stealer · sentry.anyclaw.store campaign
- Ecosystems
- npm
- Packages tracked
- 1
What happened
On 2026-06-02 Aikido Security disclosed that the npm package codexui-android — marketed as a lightweight remote web UI for OpenAI Codex and pulling ~27,000 weekly downloads — has been silently exfiltrating OpenAI Codex authentication material for roughly seven weeks. The malicious code first appeared in version 0.1.82 published on 2026-04-13 and remained in every subsequent release through the current 0.1.125 (published 2026-05-26). Forty-one consecutive versions are affected.
Trust-then-betray pattern
For approximately one month after codexui-android was first published on 2026-04-10 (0.1.72) the package behaved exactly as advertised, accumulating downloads, GitHub stars, and a real user community. The author then began shipping a divergent tarball: the public friuns2/codex-mobile GitHub repository still contains the clean source, while every release pushed to the npm registry from 0.1.82 onwards carries an extra exfiltration routine that is not in source control. Reviewers checking the repo before installation were systematically misled — a textbook source-vs-artefact divergence.
Stealer mechanics
On every invocation the package reads auth.json from the user's Codex home directory. The entire JSON (including access_token, refresh_token, id_token, and account ID) is XOR-encrypted with the static key anyclaw2026, base64-encoded, and POSTed to https://sentry.anyclaw[.]store/startlog. The hostname is chosen to blend with the package's legitimate Sentry error-reporting telemetry — defenders looking at egress logs are nudged into ignoring the request. OpenAI refresh tokens do not expire by default, so any host that ran an affected version should be treated as persistently compromised until the affected refresh tokens are revoked.
Android leg
The same publisher ships an Android app on the Play Store named OpenClaw Codex Claude AI Agent (Play package gptos.intelligence.assistant, ~50,000 installs at disclosure). The app embeds the malicious npm build, executes it in a PRoot sandbox at launch, and sends the same auth.json envelope to the same sentry.anyclaw[.]store endpoint — meaning even users who never installed the npm package directly but tried the Android client are exposed. A sibling app from the same publisher mirrors the behaviour.
OpenClawis the same brand previously seen as the second-stage payload in the 2026-02-17cline@2.3.0clinejection chain and the@shadanai/openclaw/@qqbrowser/openclaw-qbotpackages caught in the March 2026 axios investigation. Whether the publisher is the same operator or a deliberate name-reuse to muddy attribution is unknown; the convergence ofOpenClaw-branded malware across npm, Android, and prior AI-tooling supply-chain incidents is worth tracking.- Aikido reports no GHSA or OSV advisory at disclosure time; the npm package was still available for
npm installon 2026-06-02 and 2026-06-03. Expect a forced removal once npm Security ingests the report. - Downstream coverage: The Hacker News, TechRadar, Cybernews, CSO Online, and InfoWorld republished within hours of Aikido's post.
Affected packages (1)
- npm
codexui-android0.1.820.1.830.1.850.1.880.1.890.1.900.1.910.1.920.1.930.1.940.1.950.1.960.1.970.1.980.1.990.1.1000.1.1010.1.1020.1.1030.1.1040.1.1050.1.1060.1.1070.1.1080.1.1090.1.1100.1.1110.1.1120.1.1130.1.1140.1.1150.1.1160.1.1170.1.1180.1.1190.1.1200.1.1210.1.1220.1.1230.1.1240.1.125
Impact
auth.jsonfor OpenAI Codex is read and exfiltrated on every invocation —access_token,refresh_token,id_token, and account ID all leak- OpenAI refresh tokens do not expire by default, so a stolen
refresh_tokenlets the attacker mint new access tokens and impersonate the victim indefinitely - Attacker can read every live Codex project, drain API credits, and pivot via any linked OpenAI organisation the victim belongs to
- ~27,000 weekly npm downloads were exposed for roughly seven weeks (2026-04-13 → 2026-06-02 disclosure)
- Companion Android app
OpenClaw Codex Claude AI Agent(Play Store packagegptos.intelligence.assistant, ~50,000 installs) launches the malicious npm package inside a PRoot sandbox on every start, so even mobile-only users are affected - GitHub source for the package shows clean commits — anyone reviewing source rather than the published tarball was misled into believing the package was safe
What to do
- 1Treat any developer host that ran
codexui-android0.1.82 or later as having had its OpenAI credentials stolen — revoke and re-authenticate~/.codex/auth.jsonand any linked OpenAI API keys - 2Audit OpenAI account activity and API usage for the affected window (2026-04-13 onwards) and revoke organisation memberships granted from those sessions
- 3Block outbound HTTPS to
sentry.anyclaw[.]store(and the parentanyclaw[.]storedomain) at egress; the legit Sentry SDK does not use this hostname - 4Uninstall the
OpenClaw Codex Claude AI AgentAndroid app (gptos.intelligence.assistant) and any siblingOpenClaw-branded apps from the same publisher - 5Hunt processes that XOR-decode with the static key
anyclaw2026and POST to/startlog; the body is base64 of an XOR'd JSON of the stolenauth.json - 6Pin lockfiles below 0.1.82 if the package must remain in use, but prefer to remove it pending a clean upstream re-release from a verifiable maintainer
References
- Aikido SecurityLegitimate-Looking Codex Remote UI Secretly Steals Your AI Tokensaikido.dev
- The Hacker NewsOpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attackthehackernews.com
- TechRadarOpenAI Codex tool with over 29,000 downloads linked to malicious npm supply chain attack stealing authentication tokenstechradar.com
- CybernewsHackers caught hiding OpenAI token-stealing malware in Codex npm packagecybernews.com
- HackRead27,000-Download Codex UI Tool Secretly Stole OpenAI Refresh Tokenshackread.com
- DataconomyPopular Codex Package Caught Exfiltrating Authentication Credentialsdataconomy.com