Feed
HighPublished 2 Jun 20261 package · 41 versions

codexui-android exfiltrates OpenAI Codex refresh tokens for ~7 weeks before Aikido disclosure

Summary

Aikido disclosed on 2026-06-02 that every codexui-android npm version from 0.1.82 (2026-04-13) through 0.1.125 silently exfiltrates the user's OpenAI Codex auth.json — access, refresh, and ID tokens — to sentry.anyclaw[.]store/startlog. The malicious code never appeared in the package's GitHub repository, and a companion Android app (50k+ installs) ships the same stealer.

infostealercredential-theftmaintainer-takeoverobfuscation
Detected by
Aikido Security
Also known as
OpenClaw Codex stealer · sentry.anyclaw.store campaign
Ecosystems
npm
Packages tracked
1

What happened

On 2026-06-02 Aikido Security disclosed that the npm package codexui-android — marketed as a lightweight remote web UI for OpenAI Codex and pulling ~27,000 weekly downloads — has been silently exfiltrating OpenAI Codex authentication material for roughly seven weeks. The malicious code first appeared in version 0.1.82 published on 2026-04-13 and remained in every subsequent release through the current 0.1.125 (published 2026-05-26). Forty-one consecutive versions are affected.

Trust-then-betray pattern

For approximately one month after codexui-android was first published on 2026-04-10 (0.1.72) the package behaved exactly as advertised, accumulating downloads, GitHub stars, and a real user community. The author then began shipping a divergent tarball: the public friuns2/codex-mobile GitHub repository still contains the clean source, while every release pushed to the npm registry from 0.1.82 onwards carries an extra exfiltration routine that is not in source control. Reviewers checking the repo before installation were systematically misled — a textbook source-vs-artefact divergence.

Stealer mechanics

On every invocation the package reads auth.json from the user's Codex home directory. The entire JSON (including access_token, refresh_token, id_token, and account ID) is XOR-encrypted with the static key anyclaw2026, base64-encoded, and POSTed to https://sentry.anyclaw[.]store/startlog. The hostname is chosen to blend with the package's legitimate Sentry error-reporting telemetry — defenders looking at egress logs are nudged into ignoring the request. OpenAI refresh tokens do not expire by default, so any host that ran an affected version should be treated as persistently compromised until the affected refresh tokens are revoked.

Android leg

The same publisher ships an Android app on the Play Store named OpenClaw Codex Claude AI Agent (Play package gptos.intelligence.assistant, ~50,000 installs at disclosure). The app embeds the malicious npm build, executes it in a PRoot sandbox at launch, and sends the same auth.json envelope to the same sentry.anyclaw[.]store endpoint — meaning even users who never installed the npm package directly but tried the Android client are exposed. A sibling app from the same publisher mirrors the behaviour.

  • OpenClaw is the same brand previously seen as the second-stage payload in the 2026-02-17 cline@2.3.0 clinejection chain and the @shadanai/openclaw / @qqbrowser/openclaw-qbot packages caught in the March 2026 axios investigation. Whether the publisher is the same operator or a deliberate name-reuse to muddy attribution is unknown; the convergence of OpenClaw-branded malware across npm, Android, and prior AI-tooling supply-chain incidents is worth tracking.
  • Aikido reports no GHSA or OSV advisory at disclosure time; the npm package was still available for npm install on 2026-06-02 and 2026-06-03. Expect a forced removal once npm Security ingests the report.
  • Downstream coverage: The Hacker News, TechRadar, Cybernews, CSO Online, and InfoWorld republished within hours of Aikido's post.

Affected packages (1)

  • npmcodexui-android
    0.1.820.1.830.1.850.1.880.1.890.1.900.1.910.1.920.1.930.1.940.1.950.1.960.1.970.1.980.1.990.1.1000.1.1010.1.1020.1.1030.1.1040.1.1050.1.1060.1.1070.1.1080.1.1090.1.1100.1.1110.1.1120.1.1130.1.1140.1.1150.1.1160.1.1170.1.1180.1.1190.1.1200.1.1210.1.1220.1.1230.1.1240.1.125

Impact

  • auth.json for OpenAI Codex is read and exfiltrated on every invocation — access_token, refresh_token, id_token, and account ID all leak
  • OpenAI refresh tokens do not expire by default, so a stolen refresh_token lets the attacker mint new access tokens and impersonate the victim indefinitely
  • Attacker can read every live Codex project, drain API credits, and pivot via any linked OpenAI organisation the victim belongs to
  • ~27,000 weekly npm downloads were exposed for roughly seven weeks (2026-04-13 → 2026-06-02 disclosure)
  • Companion Android app OpenClaw Codex Claude AI Agent (Play Store package gptos.intelligence.assistant, ~50,000 installs) launches the malicious npm package inside a PRoot sandbox on every start, so even mobile-only users are affected
  • GitHub source for the package shows clean commits — anyone reviewing source rather than the published tarball was misled into believing the package was safe

What to do

  1. 1Treat any developer host that ran codexui-android 0.1.82 or later as having had its OpenAI credentials stolen — revoke and re-authenticate ~/.codex/auth.json and any linked OpenAI API keys
  2. 2Audit OpenAI account activity and API usage for the affected window (2026-04-13 onwards) and revoke organisation memberships granted from those sessions
  3. 3Block outbound HTTPS to sentry.anyclaw[.]store (and the parent anyclaw[.]store domain) at egress; the legit Sentry SDK does not use this hostname
  4. 4Uninstall the OpenClaw Codex Claude AI Agent Android app (gptos.intelligence.assistant) and any sibling OpenClaw-branded apps from the same publisher
  5. 5Hunt processes that XOR-decode with the static key anyclaw2026 and POST to /startlog; the body is base64 of an XOR'd JSON of the stolen auth.json
  6. 6Pin lockfiles below 0.1.82 if the package must remain in use, but prefer to remove it pending a clean upstream re-release from a verifiable maintainer

References

npm-2026-06-02-codexui-android-openclaw