Malicious npm Package Steals OpenAI Codex Tokens
A popular npm package posed as an OpenAI Codex interface while quietly stealing developer auth tokens for a month
For roughly a month, an npm package called codexui-android did exactly what it promised. It worked as a remote web interface for OpenAI Codex, the AI coding assistant. It had a real GitHub repository, active development, and somewhere between 27,000 and 29,000 downloads every week. Developers installed it because it was useful. That is precisely what made it dangerous.
Security researchers at Aikido recently found that every published version of the package carried hidden code. The moment the tool launched, before any of its actual features ran, it read a file on the developer's machine called auth.json and shipped the contents to a server controlled by the attacker.
What it actually stole
When you sign into OpenAI Codex, your login session gets saved locally in a file at ~/.codex/auth.json. That file holds three things: an access token, a refresh token, and an account ID.
The access token is the temporary key, and it expires fairly quickly. The refresh token is the dangerous one. Refresh tokens do not expire under normal use. They exist so you do not have to log in every few minutes, because the software silently swaps a refresh token for a fresh access token in the background. If an attacker holds your refresh token, they can keep generating new access to your account indefinitely, with no password required. Changing your password does not always cut them off.
Why nobody noticed
A handful of design choices kept this quiet. The malicious code lived only in the package published to npm, not in the public GitHub repository, so anyone auditing the source on GitHub saw nothing wrong. The stolen data was scrambled with a simple XOR encoding, then base64 encoded, and posted to a path named /startlog, so it did not look like obvious credential theft on the wire. And the destination, sentry.anyclaw.store, was named to imitate Sentry, a legitimate and extremely common error reporting service. To casual monitoring, the traffic looked like ordinary telemetry.
There was a second delivery path too. An Android app from the same author bundled a hidden Linux environment, ran Node.js inside it, and pulled the package fresh from npm at launch without locking to a specific version. That meant the app always fetched whatever the latest malicious build happened to be, and it cleared app store scans before publication because the harmful code was never inside the app itself.
What this means for the rest of us
This is the part worth sitting with. The attacker did not typosquat a popular name or hijack an abandoned account. They built something genuinely good, earned trust the honest way, and then turned it against the people who relied on it. As AI tooling multiplies and teams pull in dependencies faster than they can review them, this pattern is going to keep showing up.
If you ever installed codexui-android, treat your OpenAI credentials as compromised. Rotate your tokens, sign out of all active sessions, and review your account for unfamiliar usage.
For everyone else, a few habits help. Pin your dependency versions so you control exactly what gets installed. Be cautious with packages that reach for credential files. And remember that a healthy GitHub repo is not proof that the published package matches it. The code that runs on your machine comes from the registry, not from the source you read online.
At VibeAudits, this is exactly the gap we look for: the distance between what a tool appears to do and what it actually does once it is running on your machine.