← All articles

codexui-android npm steals OpenAI Codex auth tokens for a month - non-expiring refresh_token exfiltrated to fake Sentry endpoint

Aikido Security has disclosed that codexui-android, an npm package advertised as a remote web UI for OpenAI Codex with over 29,000 weekly downloads, has been silently exfiltrating users' Codex authentication tokens for the past month. Unlike a typosquat, the malware was embedded into a functional, actively-developed package roughly a month after publication to build trust; the GitHub repo stayed clean. The code reads ~/.codex/auth.json and ships the access_token, refresh_token, id_token, and account ID to sentry.anyclaw[.]store, a server masquerading as Sentry. The non-expiring refresh_token lets an attacker silently impersonate the developer indefinitely with full Codex account access. The package remains available; the npm account is 'friuns.'

Check
Inventory developer machines for the codexui-android npm package. If present, treat ~/.codex/auth.json as compromised. Search egress for traffic to sentry.anyclaw[.]store.
Affected
Developers who installed codexui-android (29K weekly downloads, still live). Stolen non-expiring Codex refresh_tokens give attackers persistent, silent impersonation of the victim's OpenAI Codex account.
Fix
Remove codexui-android. Revoke and re-issue OpenAI Codex sessions; the refresh_token does not expire, so rotation is mandatory. Pin dependencies and audit AI-tooling packages before install.