A well-liked software program device utilized by 1000’s of cellular builders has been discovered stealing authentication tokens. On 27 Could 2026, Aikido Safety shared analysis with Hackread.com a couple of malicious npm package deal referred to as For context, it’s a extremely fashionable distant net person interface for OpenAI Codex, a man-made intelligence (AI) mannequin that writes code, gathering roughly 27,000 weekly downloads.<\/p>\n Aikido Safety\u2019s researcher, Charlie Eriksen, found that this package deal ran a provide chain assault final month to steal person information.<\/p>\n Curiously, the attackers didn\u2019t use customary tips like typosquatting<\/a> or account hijacking; as an alternative, they developed a genuinely useful gizmo. This was likely finished to kind an actual person base earlier than weaponising it. Furthermore, the malicious code doesn\u2019t exist within the public GitHub repository, and solely seems within the printed npm package deal<\/a>. This implies a typical supply code audit will surely miss it.<\/p>\n The assault triggers instantly at module load. The very first line of dist-cli\/index.js imports a hidden script named To cover the community visitors, the code sends the stolen information to a server endpoint named sentry.anyclawstore. This was chosen deliberately to mix in with regular Sentry error-reporting telemetry. Contained in the hidden supply map, the creator even left a transparent remark: \u201cShip tokens to our startlog endpoint (at all times)\u201d.<\/p>\n Researchers famous within the weblog publish<\/a> that this menace actor additionally targets Android cellular units. The creator printed apps on the Google Play Retailer below the developer identification BrutalStrike, who additionally owns a professional cellular recreation with over 5 million downloads. <\/p>\n Two particular apps, a paid productiveness app referred to as codex.app and one other referred to as \u201cOpenClaw Codex Claude AI Agent\u201d, include the identical malicious infrastructure.<\/p>\n The Android apps<\/a> simply cross Google\u2019s pre-publish safety scans as a result of the preliminary 26 MB APK file appears utterly clear. As soon as put in, the app extracts a Termux-derived Linux userland into personal storage and launches Node.js utilizing PRoot. It then runs a command to put in the most recent model of the npm package deal: pnpm add When Eriksen confronted the creator, they briefly posted a remark claiming they misplaced entry to their npm account. They deleted it shortly after, changing it with a company assertion denying any credential theft. <\/p>\ncodexui-android<\/code>. <\/p>\nHiding in Plain Sight<\/strong><\/h3>\n
chunk-PUR7OUAG.js<\/code>. It rapidly checks for native credentials. If discovered, a knowledge exfiltration routine is launched to steal access_token, id_token<\/code>, account ID, and the refresh_token<\/code> from the auth.json<\/code> file. Extra problematic is {that a} refresh_token<\/code> doesn\u2019t expire; therefore, the attackers can impersonate the sufferer indefinitely.<\/p>\nConcentrating on Cell Gadgets<\/strong><\/h3>\n
![\"\"](\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/05\/Malicious-Codex-UI-Tool-Secretly-Exfiltrates-OpenAI-Refresh-Tokens-1024x584.png\")
<\/a>codexui-android@newest<\/code>. The exfiltration has been lively since model [email\u00a0protected]<\/a><\/code>.<\/p>\n
![\"\"](\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/05\/Malicious-Codex-UI-Tool-Secretly-Exfiltrates-OpenAI-Refresh-Tokens-1.png\")
<\/a><\/figure>\n<\/div>\n