Popular Codex package caught exfiltrating authentication credentials

2026-06-02 · Source: Dataconomy · Field: Technology & Digital — Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning, Software Development & Engineering · Depth: Intermediate, quick

Summary

A new malicious supply chain campaign has been uncovered, targeting developers using OpenAI Codex via a seemingly legitimate remote web UI tool called "codexui-android". This npm package, advertised on GitHub, has accumulated over 29,000 weekly downloads and remains available. Researchers at Aikido Security found that the package, actively developed and with a clean GitHub repository, began exfiltrating Codex authentication tokens to an attacker-controlled server, "sentry.anyclaw[.]store", about a month after its initial publication. The embedded code extracts "~/.codex/auth.json", including access, refresh, and ID tokens, and account ID. The "refresh_token" does not expire, allowing indefinite impersonation. Associated malicious Android apps, "OpenClaw Codex Claude AI Agent" and another from BrutalStrike named "Codex", also utilize this exfiltration method. The developer, linked to the npm account "friuns" and Igor Levochkin, registered "anyclaw[.]store" on April 12, 2026, shortly after the package upload. This incident highlights a growing trend of exploiting AI development tools for credential theft.

Key takeaway

For AI Engineers or Software Engineers integrating third-party tools, you must scrutinize npm packages, even those with clean GitHub repositories and high download counts. This incident demonstrates how malicious code can be introduced later, exploiting trust and non-expiring tokens. Pin your package versions to prevent automatic updates of compromised code. Treat all local authentication files, like "auth.json", as highly sensitive passwords to mitigate indefinite unauthorized access risks.

Key insights

Malicious npm packages can embed credential exfiltration, exploiting trust and persistent tokens for indefinite access.

Principles

• Malicious code can be introduced post-publication to build trust.
• Non-expiring refresh tokens enable indefinite unauthorized access.
• Supply chain attacks exploit legitimate-looking development tools.

Method

The malicious code extracts "~/.codex/auth.json" (access, refresh, ID tokens, account ID) and sends it to an attacker-controlled server, often masquerading as a legitimate service like Sentry.

In practice

• Treat "auth.json" files like passwords.
• Pin npm package versions to prevent auto-updates of malicious code.
• Verify developer identity and domain registration dates.

Topics

• Supply Chain Security
• Credential Exfiltration
• OpenAI Codex
• npm Package Security
• Android Application Security
• Software Vulnerabilities

Best for: CTO, Machine Learning Engineer, NLP Engineer, AI Security Engineer, AI Engineer, Software Engineer

Related on AIssential

• Valid certificates, stolen accounts: how attackers broke npm's last trust signal — Automated trust signals in developer tools are broken by credential theft and design flaws, enabling widespread supply chain attacks.
• 244,000 AI Developers Downloaded What They Thought Was OpenAI and It Stole Their Crypto Wallets and… — A sophisticated supply chain attack exploited trust in AI platforms by mimicking a legitimate OpenAI tool to steal sensitive user data.
• OpenAI Among the Companies Affected by TanStack Breach — Software supply chain attacks exploiting GitHub Actions can compromise open-source libraries and spread credential-stealing malware.
• Fake Claude Code Installers Deliver Credential-Stealing Malware — Fake AI tool installers exploit unchecked trust to deploy sophisticated credential-stealing malware targeting developer assets.
• Delve did the security compliance on LiteLLM, an AI project hit by malware — Open-source projects face significant supply chain risks, even with security certifications.
• GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK — Chained supply chain and AI agent vulnerabilities are actively exploited, bypassing traditional security measures.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Dataconomy.