Malicious npm Package Steals OpenAI Codex Authentication Tokens

Key Takeaways

• A functional npm package, codexui-android, posing as a remote web UI for OpenAI Codex, hid credential-stealing code.
• Every run for about a month exfiltrated Codex access, account ID and refresh tokens from the plaintext auth.json file.
• OpenAI refresh tokens do not expire, so stolen tokens grant indefinite impersonation; the package had more than 29,000 weekly downloads.

Summary

Trust in a popular developer tool became the attack. On June 2, 2026 researchers disclosed that codexui-android, an npm package advertised as a remote web UI for OpenAI Codex, had been quietly stealing Codex credentials. As reported by The Hacker News, every invocation copied the developer's authentication tokens to an attacker server for roughly a month before discovery.

What We Know

The package, codexui-android, was published on npm and promoted on GitHub as a remote web interface for OpenAI Codex, attracting more than 29,000 weekly downloads. Unlike a throwaway typosquat, it was a working, actively developed tool, which helped it earn trust and evade casual review. As CSO Online detailed, the malicious code targeted auth.json, the plaintext file where Codex stores credentials, and exfiltrated access tokens, account identifiers and refresh tokens to an attacker-controlled server crafted to mimic a legitimate Sentry monitoring endpoint. Researchers reported the exfiltration had run for about a month before disclosure on June 2, 2026. A companion Android application, marketed as an OpenClaw Codex Claude AI Agent, ran the same package inside a PRoot sandbox and forwarded Codex credentials to the same endpoint, widening reach beyond desktop developers.

What Happened

This was a software supply chain attack rather than a flaw in Codex itself. The attacker did not break OpenAI's service; they compromised a third-party tool developers willingly installed and ran against it. By embedding exfiltration logic into a genuinely useful, maintained package, the attacker turned ordinary use into continuous credential theft, with each run shipping fresh tokens. Two AI-specific properties made the payoff severe. Codex stores its credentials in a plaintext auth.json file, so any local code can read them, and OpenAI refresh tokens do not inherently expire, so a single theft yields durable, renewable access. With those tokens an attacker can impersonate the victim against OpenAI services, view the code the developer works on through Codex, and spend the victim's API credits. Disguising the exfiltration server as a Sentry endpoint helped the traffic evade network monitoring for roughly a month.

Why It Matters

Developer credentials are high-value because they unlock more than one account. Codex tokens expose proprietary source code, enable costly API abuse, and can become a foothold for deeper compromise of a victim's projects and pipelines. Non-expiring refresh tokens turn a quiet, one-time theft into long-term access that is hard to detect and revoke. The incident is a reminder that AI coding tools have their own fast-moving package ecosystem, where one trusted dependency can betray thousands of users at once. For security teams, it shows that the AI software supply chain, including the helpers and wrappers built around model APIs, belongs inside the same scrutiny applied to any production dependency, in line with the NIST AI Risk Management Framework and secure supply chain practices around dependency inventory, provenance and credential rotation.

PointGuard AI Perspective

PointGuard AI helps organizations bring the AI software supply chain under the same governance as any other production dependency. AI bill of materials visibility inventories the packages, tools, agents and model integrations a team relies on, so a credential-stealing dependency like codexui-android can be flagged and traced rather than trusted by default. Continuous monitoring watches for the anomalous credential access and outbound traffic that mark this kind of attack, including exfiltration to look-alike endpoints, turning a month-long silent campaign into a detectable event. Policy enforcement applies least privilege to the credentials AI tools can reach and supports rotation, shrinking the value of any stolen tokens. We have analyzed closely related attacks, including a LiteLLM supply chain compromise that exfiltrated cloud secrets, where a trusted dependency was weaponized the same way, and teams can see how we approach the pattern through our Supply Chain Risk Management work. The forward-looking lesson is that trustworthy AI adoption depends on treating every package and wrapper around a model API as part of the attack surface, with provenance checks, dependency inventory, least privilege, short-lived credentials and runtime monitoring that catch theft when it starts rather than a month later.

Incident Scorecard Details

Total AISSI Score: 7.2 / 10

Criticality = 7, developer Codex credentials expose proprietary source code and paid API access, AISSI weighting: 25%

Propagation = 7, more than 29,000 weekly downloads and non-expiring tokens enable broad, renewable access, AISSI weighting: 20%

Exploitability = 8, the package actively exfiltrated tokens in the wild for about a month, AISSI weighting: 15%

Supply Chain = 9, the attack lived entirely inside a trusted third-party npm package, AISSI weighting: 15%

Business Impact = 6, confirmed token theft with credible API abuse and code exposure, no verified breach scale reported, AISSI weighting: 25%

Sources

• The Hacker News, OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack
• CSO Online, Attack targeting OpenAI Codex users exposes AI software supply chain risks
• PointGuard AI, LiteLLM Supply Chain Attack Exposes Cloud Secrets
• PointGuard AI, Supply Chain Risk Management