Building trust in the open-source software community takes time, but destroying it can happen in a single update. Cybersecurity researchers have just blown the lid off a highly sophisticated supply chain attack specifically targeting developers who rely on OpenAI Codex to write, test, and review code. Bad actors reportedly hid malicious credential-stealing code inside a seemingly legitimate utility, enabling them to siphon off sensitive authentication data from tens of thousands of unsuspecting programmers.
OpenAI Codex tokens stolen via malicious npm update: The bait and switch
According to Aikido Security, the threat is targeting a npm package called “codexui-android.” It was marketed as a useful remote web UI for the Codex platform, and it quickly gained popularity. The tool reached over 29,000 weekly downloads.
What makes this campaign particularly sinister is the patience of the threat actor. More specifically, we are talking about an npm account operating under the handle “friuns”. For the first month of its lifecycle, the package behaved entirely as advertised, earning user trust. Even more clever, the project’s public GitHub repository remained entirely clean. This means anyone reviewing the public source code would see zero red flags. However, once it got a solid user base, a new update to the npm registry silently injected information-stealing code.
Silent and permanent access
Once a developer runs the compromised package, the script goes hunting for local, cached login files. Specifically, it targets the plaintext auth.json file where the Codex app, CLI, or IDE extensions store credentials. The stolen data—including access tokens, account IDs, and refresh tokens—is then quietly exfiltrated to a rogue server mimicking a legitimate Sentry monitoring platform.
Charlie Eriksen, the lead researcher at Aikido Security, warned that the implications of this theft are incredibly severe. OpenAI refresh tokens do not inherently expire, which means an attacker holding one can silently impersonate the victim indefinitely. This gives them an uninterrupted, unmonitored access to view live programming projects, hijack OpenAI sessions, and potentially drain victim’s API credits.
Expanding to mobile platforms
The npm ecosystem isn’t the only front in this campaign. Researchers also flagged a parallel operation on mobile devices tied to a developer named “BrutalStrike”. The actor published a pair of malicious Android applications, most notably “OpenClaw Codex Claude AI Agent,” which accumulated over 50,000 downloads.
On a standard pre-publish security scan, the app looked entirely benign. However, upon execution, it secretly spins up a sandboxed Linux environment to run Node.js. Because the app doesn’t lock down its version controls, it automatically pulls the latest compromised code directly from npm, reads the login files generated within the app, and routes the credentials to the exact same data-theft server.
This incident serves as a brutal reminder of OpenAI’s own official security warnings: local authentication files should always be treated with the same extreme caution as core passwords. For developers caught up in the breach, changing passwords and revoking active API keys is the only way to lock the back door.
The post Infostealer Malware Sneaks into Popular Codex UI Tool After One Month of Building Trust appeared first on Android Headlines.
