codexui-android Supply Chain Attack: Stealing AI Tokens Through npm and Android
A sophisticated supply chain attack has been identified targeting the AI development ecosystem, leveraging a deceptive developer tool named codexui-android to silently exfiltrate OpenAI Codex authentication tokens. Unlike traditional “spray and pray” malware or simple typosquatting attempts, this campaign utilizes a high-utility tool that provides genuine functionality, effectively masking its malicious payload behind a veneer of developer productivity.
Security researchers at Aikido have uncovered that for at least a month, every execution of this package has served as a silent data harvester.
The Discrepancy: Clean Source, Malicious Distribution
The core of this attack lies in a clever discrepancy between the public GitHub repository and the distributed package hosted on npm. While a manual audit of the source code on GitHub reveals no suspicious logic, the actual package published to the npm registry contains injected code within its entry point. This ensures that as soon as the application initializes, the malicious logic executes automatically without requiring any explicit user interaction.
The payload is surgically targeted. It scans the local filesystem for the Codex authentication configuration, specifically targeting the ~/.codex/auth.json file. This file is a goldmine for attackers, containing:
- Access tokens
- Refresh tokens
- ID tokens
- Unique account identifiers
To avoid detection by basic Network Intrusion Detection Systems (NIDS), the stolen data is obfuscated using a lightweight XOR-based encoding before being transmitted via an HTTPS POST request. The destination endpoint, sentry.anyclaw.store, was strategically chosen to mimic legitimate telemetry and error-reporting traffic (such as Sentry), allowing the exfiltration to blend into the “noise” of standard application monitoring.
Persistence Through Refresh Token Theft
While session hijacking is a significant concern, the primary danger of this specific exploit is the theft of the refresh token. Because refresh tokens are designed for long-term persistence and do not expire under standard operating conditions, an attacker can maintain unauthorized, continuous access to a victim’s Codex environment. This allows for deep impersonation, enabling the adversary to access code generation workflows and potentially pivot into integrated development environments (IDEs) or downstream CI/CD pipelines.
The attacker’s ability to maintain credibility is bolstered by a legitimate-looking GitHub persona. This is not a “burner” account; it is a developed profile that has gained momentum as AI-driven development tools become industry standards.

A legitimate-looking GitHub account used to build trust (Source: Aikido).
Expansion into the Mobile Ecosystem
The threat vector extends beyond the desktop environment and into Android mobile devices. The same threat actor has published applications such as “OpenClaw Codex Claude AI Agent” on the Google Play Store. These apps employ a complex delivery mechanism: they bundle a Node.js environment within a Termux-based Linux userland, which dynamically installs the malicious npm package at runtime.
Because the application does not “pin” a specific version of the npm package, it fetches the latest version upon every launch. This ensures that even if a specific version is flagged and removed, the attacker can immediately push a new, updated version to the mobile users. Once a user authenticates within the mobile app, the auth.json file is generated locally and immediately exfiltrated.

Malicious applications distributed via the Android App store (Source: Aikido).
Further forensic analysis shows that other apps, including one simply named “Codex,” share identical infrastructure, including package namespaces and custom URI handlers, suggesting a highly organized campaign.
A New Paradigm in Supply Chain Attacks
This incident marks a significant shift in adversary tactics. We are moving away from low-effort impersonation toward “Long Con” supply chain attacks. In this model, attackers invest time in building functional, widely-used, and trusted tools to establish a legitimate user base and reputation before introducing malicious logic.
As AI tooling becomes more deeply integrated into the software development lifecycle (SDLC), the value of the associated authentication tokens grows exponentially. To mitigate these risks, developers and security teams should:
- Verify Integrity: Perform checksum or hash verification to ensure the distributed npm package matches the audited GitHub source.
- Pin Dependencies: Avoid using wildcard versions in
package.jsonto prevent the automatic pulling of compromised updates. - Monitor Egress: Implement strict outbound network monitoring to detect unusual POST requests to unrecognized telemetry endpoints.
- Adopt Zero Trust: Treat third-party AI tooling with the same scrutiny as any other high-privilege system component.