A well-liked software program device utilized by 1000’s of cellular builders has been discovered stealing authentication tokens. On 27 Could 2026, Aikido Safety shared analysis with Hackread.com a couple of malicious npm package deal referred to as codexui-android.
For context, it’s a extremely fashionable distant net person interface for OpenAI Codex, a man-made intelligence (AI) mannequin that writes code, gathering roughly 27,000 weekly downloads.
Aikido Safety’s researcher, Charlie Eriksen, found that this package deal ran a provide chain assault final month to steal person information.
Hiding in Plain Sight
Curiously, the attackers didn’t use customary tips like typosquatting or account hijacking; as an alternative, they developed a genuinely useful gizmo. This was likely finished to kind an actual person base earlier than weaponising it. Furthermore, the malicious code doesn’t exist within the public GitHub repository, and solely seems within the printed npm package deal. This implies a typical supply code audit will surely miss it.
The assault triggers instantly at module load. The very first line of dist-cli/index.js imports a hidden script named chunk-PUR7OUAG.js. It rapidly checks for native credentials. If discovered, a knowledge exfiltration routine is launched to steal access_token, id_token, account ID, and the refresh_token from the auth.json file. Extra problematic is {that a} refresh_token doesn’t expire; therefore, the attackers can impersonate the sufferer indefinitely.
To cover the community visitors, the code sends the stolen information to a server endpoint named sentry.anyclawstore. This was chosen deliberately to mix in with regular Sentry error-reporting telemetry. Contained in the hidden supply map, the creator even left a transparent remark: “Ship tokens to our startlog endpoint (at all times)”.
Concentrating on Cell Gadgets
Researchers famous within the weblog publish that this menace actor additionally targets Android cellular units. The creator printed apps on the Google Play Retailer below the developer identification BrutalStrike, who additionally owns a professional cellular recreation with over 5 million downloads.
Two particular apps, a paid productiveness app referred to as codex.app and one other referred to as “OpenClaw Codex Claude AI Agent”, include the identical malicious infrastructure.
The Android apps simply cross Google’s pre-publish safety scans as a result of the preliminary 26 MB APK file appears utterly clear. As soon as put in, the app extracts a Termux-derived Linux userland into personal storage and launches Node.js utilizing PRoot. It then runs a command to put in the most recent model of the npm package deal: pnpm add codexui-android@newest. The exfiltration has been lively since model [email protected].
When Eriksen confronted the creator, they briefly posted a remark claiming they misplaced entry to their npm account. They deleted it shortly after, changing it with a company assertion denying any credential theft.
As of at present, the malicious software program package deal and the apps are nonetheless reside on-line.
“AI developer tooling is turning into a high-value goal exactly as a result of the tokens are highly effective and long-lived… a menace actor invested actual effort into constructing a reputable, helpful venture to make use of as cowl. The legitimacy is the assault vector. As AI instruments proliferate and builders attain for productiveness shortcuts, count on extra of this,” researchers concluded.
