{"id":731333,"date":"2026-06-04T09:10:20","date_gmt":"2026-06-04T06:10:20","guid":{"rendered":"https:\/\/buradabiliyorum.com\/en\/popular-codex-npm-package-stole-developer-tokens-for-a-month\/"},"modified":"2026-06-04T09:10:20","modified_gmt":"2026-06-04T06:10:20","slug":"popular-codex-npm-package-stole-developer-tokens-for-a-month","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/popular-codex-npm-package-stole-developer-tokens-for-a-month\/","title":{"rendered":"Popular Codex npm package stole developer tokens for a month"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2e74043fe5a\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2e74043fe5a\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/popular-codex-npm-package-stole-developer-tokens-for-a-month\/#TLDR\" >TL;DR<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/popular-codex-npm-package-stole-developer-tokens-for-a-month\/#How_it_worked\" >How it worked<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/popular-codex-npm-package-stole-developer-tokens-for-a-month\/#The_same_attack_from_the_Play_Store\" >The same attack, from the Play Store<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/popular-codex-npm-package-stole-developer-tokens-for-a-month\/#The_authors_shifting_story\" >The author\u2019s shifting story<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/popular-codex-npm-package-stole-developer-tokens-for-a-month\/#A_growing_pattern\" >A growing pattern<\/a><\/li><\/ul><\/nav><\/div>\n<p><img decoding=\"async\" src=\"https:\/\/media.thenextweb.com\/2026\/06\/codex-npm-supply-chain-token-theft.avif\" \/><\/p>\n<div id=\"article-main-content\">\n<p><em><\/p>\n<div class=\"postContent-tldr\">\n<h4 class=\"postContent-offsetTitle\"><span class=\"ez-toc-section\" id=\"TLDR\"><\/span>TL;DR<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>A popular npm package for OpenAI Codex with 29,000 weekly <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">download<\/a>s has been stealing developer authentication tokens for a month. The same credential-theft chain also ran through two Android apps with over 60,000 combined downloads.<\/p>\n<\/div>\n<p><\/em><\/p>\n<p>The npm package looked legitimate. It had an active GitHub repository, steady development history, and roughly 29,000 weekly downloads. For developers using\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.aikido.dev\/blog\/codex-remote-ui-steals-ai-tokens\" target=\"_blank\" rel=\"nofollow noopener\">OpenAI Codex<\/a>, it offered exactly what it advertised: a remote web UI for the AI coding tool.<\/p>\n<p>But for the past month, every invocation of codexui-android has also been silently reading the contents of the user\u2019s Codex authentication file and shipping it to an attacker-controlled server. The stolen data includes access tokens, refresh tokens, ID tokens, and account IDs, everything needed to impersonate the developer indefinitely.<\/p>\n<p>\u201c<em>The refresh_token doesn\u2019t expire<\/em>,\u201d Aikido Security researcher Charlie Eriksen\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.aikido.dev\/blog\/codex-remote-ui-steals-ai-tokens\" target=\"_blank\" rel=\"nofollow noopener\">wrote<\/a>. \u201c<em>An attacker holding it can silently impersonate you indefinitely<\/em>.\u201d<\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_it_worked\"><\/span>How it worked<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The attack was unusually sophisticated for an npm supply chain compromise. Unlike typical\u00a0supply chain attacks\u00a0that rely on typosquatting or disposable packages, codexui-android was a functional tool under active development. Its\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/friuns2\/codex-mobile\/issues\/198\" target=\"_blank\" rel=\"nofollow noopener\">GitHub repository remained clean<\/a>. The malicious code existed only in the npm build.<\/p>\n<p>The package extracts the contents of Codex\u2019s\u00a0<code>~\/.codex\/auth.json<\/code>\u00a0file, a plaintext credential cache created whenever a user logs in via the Codex app, CLI, or IDE extension. It then sends those credentials to\u00a0<code>sentry.anyclaw[.]store<\/code>, a server name chosen to mimic\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/sentry.io\/\" target=\"_blank\" rel=\"nofollow noopener\">Sentry<\/a>, the legitimate error-tracking platform.<\/p>\n<p>The nefarious functionality was introduced approximately a month after the package was first published, a common tactic for building user trust before deploying a payload.\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/whois.domaintools.com\/anyclaw.store\" target=\"_blank\" rel=\"nofollow noopener\">WHOIS records<\/a>\u00a0show the exfiltration domain was registered on 12 April 2026, just two days after the first package version (0.1.72) was uploaded to npm. The malicious code appeared from version 0.1.82 onward.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_same_attack_from_the_Play_Store\"><\/span>The same attack, from the Play Store<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The npm package was not the only delivery vector. Aikido found that an Android application called\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/play.google.com\/store\/apps\/details?id=gptos.intelligence.assistant\" target=\"_blank\" rel=\"nofollow noopener\">OpenClaw Codex Claude AI Agent<\/a>, published by a developer named BrutalStrike, was running the same npm package inside a PRoot sandbox on users\u2019 devices. The app had accumulated more than 50,000 downloads on\u00a0Google Play.<\/p>\n<p>A second BrutalStrike app, simply called Codex, had over 10,000 downloads and contained the same exfiltration chain. Because neither app pinned a specific npm package version, they automatically pulled whatever was currently published, meaning the malicious code was delivered to mobile users the moment it went live.<\/p>\n<p>The combined attack surface, roughly 29,000 weekly npm downloads plus more than 60,000 mobile installations, makes this one of the more significant credential-theft campaigns to target the AI developer tooling ecosystem.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_authors_shifting_story\"><\/span>The author\u2019s shifting story<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The npm account behind the package belongs to \u201c<em>friuns<\/em>,\u201d identified by Aikido as Igor Levochkin. When\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/friuns2\/codex-mobile\/issues\/198\" target=\"_blank\" rel=\"nofollow noopener\">confronted on GitHub<\/a>, the author initially claimed to have lost access to the npm account, then edited the response to say they were \u201c<em>currently investigating this issue internally<\/em>.\u201d<\/p>\n<p>Levochkin said no credential data was shared with third parties, but did not explain why the exfiltration code was inserted only into the npm build, or why access to users\u2019 Codex tokens was needed in the first place. The\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/x.com\/friuns2\" target=\"_blank\" rel=\"nofollow noopener\">X profile<\/a>\u00a0linked to the account includes the domain anyclaw[.]store, the same domain to which the stolen tokens were sent.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"A_growing_pattern\"><\/span>A growing pattern<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The attack arrives in a period of escalating threats to\u00a0AI developer tooling. Last month, a\u00a0poisoned VS Code extension breached GitHub\u2019s own internal repositories, exfiltrating 3,800 repos after an employee installed the malicious package. That attack, attributed to the group TeamPCP, harvested credentials from 1Password vaults, Claude Code configurations, and AWS.<\/p>\n<p>The lesson from both incidents is the same. As AI coding tools become essential infrastructure, the authentication tokens they generate, and often store in plaintext, are becoming high-value targets. OpenAI\u2019s own\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/developers.openai.com\/codex\/auth\" target=\"_blank\" rel=\"nofollow noopener\">documentation<\/a>\u00a0warns developers to treat\u00a0<code>~\/.codex\/auth.json<\/code>\u00a0like a password. The codexui-android campaign is a demonstration of what happens when that advice goes unheeded, and when the tools developers trust are designed to exploit that trust.<\/p>\n<p>Aikido has also\u00a0separately reported\u00a0that deleted Google API keys remain live for up to 23 minutes after revocation, a window attackers can exploit to access user data and Gemini conversations. Google has since classified the issue as a P0 bug. The finding underscores a broader problem: credential revocation in cloud environments is rarely as instant as defenders assume.<\/p>\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" target=\"_blank\" >Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/thenextweb.com\/news\/a-popular-openai-codex-tool-with-29000-weekly-downloads-has-been-quietly-stealing-developer-tokens-for-a-month\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TL;DR A popular npm package for OpenAI Codex with 29,000 weekly downloads has been stealing developer authentication tokens for a month. The same credential-theft chain also ran through two Android apps with over 60,000 combined downloads. The npm package looked legitimate. It had an active GitHub repository, steady development history, and roughly 29,000 weekly downloads&#8230;.<\/p>\n","protected":false},"author":1,"featured_media":731334,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/media.thenextweb.com\/2026\/06\/codex-npm-supply-chain-token-theft.avif","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-731333","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/731333","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=731333"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/731333\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/731334"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=731333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=731333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=731333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}