Security researchers at Aikido Security have uncovered a malicious campaign targeting developers who use OpenAI Codex. The attack affects users of a popular tool called codexui-android, which is distributed through GitHub and npm as a web interface for remotely accessing and managing Codex.
At first glance, the project appeared completely legitimate. The package was actively maintained, had a public GitHub repository, and was being downloaded more than 29,000 times per week. That is exactly why it caught researchers’ attention: this was not a typical typosquatting campaign or a one-off malicious package, but a fully functional tool that had data-stealing capabilities deliberately embedded into it.
According to Aikido Security researcher Charlie Eriksen, the package had been silently exfiltrating Codex authentication tokens to an attacker-controlled server for the past month.
“And for the past month, every invocation has quietly exfiltrated your Codex authentication tokens to an attacker-controlled server.”
Researchers believe the malicious functionality was introduced roughly a month after the package was first published. This tactic likely helped the project build trust and gain adoption before the attack was deployed at scale. The package has been linked to the npm account “friuns,” which is associated with Igor Lyovochkin.
The malicious code searched for the ~/.codex/auth.json file, where Codex stores local authentication credentials. It then transmitted the file’s contents to sentry.anyclaw.store, a domain disguised to resemble the legitimate monitoring platform Sentry. The stolen data included access tokens, refresh tokens, ID tokens, and account identifiers.
Researchers are particularly concerned about the refresh token because it effectively does not expire.
“The refresh_token never expires. An attacker who stores it can silently impersonate you indefinitely.”
OpenAI notes that when users sign in to Codex through ChatGPT, an API key, or an IDE extension, authentication credentials may be stored locally in ~/.codex/auth.json or within the operating system’s credential storage. The company explicitly advises users to treat this file like a password and never share it publicly.
The campaign did not stop with the npm package. Aikido researchers also discovered an Android application called OpenClaw Codex Claude AI Agent (gptos.intelligence.assistant) that leveraged the same npm package inside a Linux environment running on Termux and PRoot. After a user logged into Codex, the application read the authentication file and transmitted it to the same remote server.
According to the researchers, the app appeared completely benign during Google Play review, was only 26 MB in size, and automatically deployed its own Linux environment to run Node.js after installation.
The application was published by an organization called BrutalStrike and accumulated more than 50,000 downloads. Researchers found the same credential-stealing mechanism in another Android application from the same developer, Codex (codex.app), which had been downloaded more than 10,000 times. The developer’s other published applications did not contain the malicious functionality.
