CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 29, 2026

Legitimate-Looking Codex Remote UI Steals OpenAI Codex Authentication Tokens

Cybersecurity News Archived May 29, 2026 ✓ Full text saved

A polished, fully functional npm package has been caught secretly stealing OpenAI Codex authentication tokens from developers who trusted it. The package, named codexui-android, presented itself as a remote web UI for OpenAI Codex with no obvious signs of being malicious. It built a genuine user base, amassed 27,000 weekly downloads, and maintained an active […] The post Legitimate-Looking Codex Remote UI Steals OpenAI Codex Authentication Tokens appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more Antivirus & Malware Hacking & Cracking Security awareness training HomeCyber Security News Legitimate-Looking Codex Remote UI Steals OpenAI Codex Authentication Tokens By Tushar Subhra Dutta May 29, 2026 A polished, fully functional npm package has been caught secretly stealing OpenAI Codex authentication tokens from developers who trusted it. The package, named codexui-android, presented itself as a remote web UI for OpenAI Codex with no obvious signs of being malicious. It built a genuine user base, amassed 27,000 weekly downloads, and maintained an active GitHub repository, all while quietly draining credentials in the background. The threat had been active for roughly one month before detection. Every published version contained hidden code that fired the moment the tool launched, without any user interaction required. The malicious logic ran before any application code, giving it full access to stored authentication files right from startup. Aikido said in a report shared with Cyber Security News (CSN) that the malicious behavior after finding the published npm package contained extra code never committed to the GitHub repository. This made it nearly invisible to standard code audits. Developers checking the source would find nothing suspicious, because the theft logic existed only inside the distributed package itself. Legitimate-looking GitHub account (Source – Aikido) The exfiltration code targeted the auth.json file stored at the user’s Codex home directory. Once found, the contents were XOR-encrypted using the key “anyclaw2026,” base64-encoded, and silently sent to an attacker-controlled server. The endpoint was named to resemble a legitimate Sentry error-reporting connection, making it easy to overlook during routine network monitoring. What made this campaign alarming was how complete the theft was. The package grabbed the access token, refresh token, ID token, and account ID in one sweep. Since refresh tokens do not expire, an attacker holding one could silently impersonate the victim indefinitely. Legitimate-Looking Codex Remote UI The malicious file in the package, chunk-PUR7OUAG.js, executed at module load with no function call or condition needed to trigger it. \ The author left a comment in the source map stating the tokens would be sent “always,” independent of any other functionality. This was not accidental. It was deliberate, buried inside an otherwise working product. The exfiltration endpoint, sentry.anyclaw[.]store/startlog, was named to blend with the package’s legitimate Sentry error-reporting traffic. A developer watching network activity would see what looked like normal telemetry going out. That cover was entirely by design, giving the theft a disguise that required active investigation to uncover. The threat actor invested real effort into building a credible, useful project to use as cover, and the legitimacy itself became the attack vector. As AI tools spread and developers reach for productivity shortcuts, more attacks following this pattern should be expected. Android App Extends the Reach of the Attack The npm package was not the only delivery channel. The same author published an Android app on Google Play called “OpenClaw Codex Claude AI Agent” (package ID: gptos.intelligence.assistant), and that app automatically pulled in the malicious npm build every time it launched. A second Play Store app titled “Codex,” a paid productivity tool with over 10,000 installs, used the same codebase and exfiltration chain under a different app ID. The Android app appeared clean on pre-publish scans and weighed only 26 MB. On first launch, it extracted a Linux environment into private storage, ran Node.js inside it, and installed the malicious package from npm without pinning a version. This meant any device running the app would pull whatever the current malicious build was from the registry. Once a user signed into Codex inside the app, the auth.json file was written into storage, which the package would then read and transmit to the attacker’s server. BrutalStrike (Source – Aikido) Aikido’s investigation linked the publisher to the alias “BrutalStrike,” whose game of the same name has over five million Play Store downloads, raising serious concerns about the scale of exposure. Developers who used codexui-android or either associated Android app should immediately revoke and rotate their OpenAI Codex credentials. Monitoring outbound connections to sentry.anyclaw[.]store is strongly advised, as that is the confirmed exfiltration endpoint used throughout this campaign. Indicators of Compromise (IoCs):- Type Indicator Description Domain sentry.anyclaw[.]store Attacker-controlled exfiltration server endpoint URL Path /startlog Exfiltration POST endpoint on the C2 server File Name chunk-PUR7OUAG.js Malicious JavaScript chunk containing the exfiltration logic File Name dist-cli/index.js Entry point of the malicious npm package File Name auth.json Targeted credential file (stores Codex OAuth tokens) npm Package codexui-android Malicious npm package delivering the token stealer npm Package Version codexui-android@0.1.82 First version confirmed to contain the exfiltration code Android App ID gptos.intelligence.assistant Package ID of “OpenClaw Codex Claude AI Agent” on Google Play Android App codex.app Second Play Store app using the same malicious codebase XOR Key anyclaw2026 Encryption key used to obfuscate stolen credential data Kotlin Namespace app.anyclaw.* Namespace shared across both malicious Android APKs Auth Callback anyclaw://auth/codex-callback Deep link registered in malicious Android manifests File Name rootfs.tar.zst.bin Bundled Linux userland extracted on app first launch Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Apache CXF LDAP Injection Vulnerability Let Attacker Retrieve Arbitrary Certificates Tycoon 2FA AiTM Kit Bypasses MFA on Entra ID and Google Workspace Accounts Ubiquiti Patches Critical UniFi OS Vulnerabilities Allowing Remote Privilege Escalation Motorola Phones Preinstalled App Found Hijacking Amazon App to Inject Affiliate Codes New Zapocalypse Attack Chain Enables Full Zapier Account Takeover Latest News Cyber Security News MicrosoftSystem64 Malware Uses HuggingFace Datasets for Stealthy Data Exfiltration Cyber Security News Malicious RVTools Installer Abuses Sectigo Certificate to Bypass SmartScreen Warnings Cyber Security News Critical Samba Vulnerability Enables Remote Code Execution Attacks Chrome Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical Ones Cyber Security News Google Employee Charged for Making $1.2 Million With Confidential Information
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 29, 2026
    Archived
    May 29, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗