Close Menu
    What's Hot

    7 Americans Sent to Disputed Kenya Ebola Site After New Trump Travel Ban

    Applications close in 48 hours — here’s everything Australian founders need to know about Stripe x Startup Battlefield

    Reformation IPO bets fast fashion can keep up with Big Fashion

    Facebook X (Twitter) Instagram
    Trending
    • 7 Americans Sent to Disputed Kenya Ebola Site After New Trump Travel Ban
    • Applications close in 48 hours — here’s everything Australian founders need to know about Stripe x Startup Battlefield
    • Reformation IPO bets fast fashion can keep up with Big Fashion
    • F.N.B. Corporation (FNB) Q2 2026 Earnings Call Transcript
    • OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests
    • The viral watermelon ice cream hack looks like magic. Does it actually work?
    • Trump’s Election Claims and SAVE Act Push Find Muted Response From G.O.P. Lawmakers
    • Trump Pursues a Deeper Bond With China’s Leader, Despite Hostile Speech
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack

    adminBy adminJune 1, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack
    Share
    Facebook Twitter LinkedIn Pinterest Email

    OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack

    Cybersecurity researchers have disclosed details of a new malicious supply chain campaign that’s targeting developers using OpenAI Codex through a legitimate-looking remote web UI.

    The tool, named codexui-android, is advertised on GitHub and npm as a remote web UI for OpenAI Codex, attracting over 29,000 weekly downloads. The package is still available for download from the repository.

    What makes this activity noteworthy is that it’s not a traditional attack that uses a typosquat or throwaway package to trick developers. Rather, the malicious code is embedded into a functional npm package that has undergone active development. The associated GitHub repository remains clean.

    “And for the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server,” Aikido Security researcher Charlie Eriksen said.

    The nefarious changes are said to have been introduced about a month after the package was published to the registry, likely in an effort to build user trust and expand its reach. The npm account associated with the package is “friuns” (aka Igor Levochkin).

    Present within the package is code that extracts the contents of Codex’s “~/.codex/auth.json” file and exfiltrates them to a remote server (“sentry.anyclaw[.]store”) that masquerades as Sentry, a legitimate application monitoring and error tracking platform. The captured data includes the following details: access_token, refresh_token, id_token, and account ID.

    “The refresh_token doesn’t expire,” Eriksen said. “An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface — it’s persistent, silent access to whatever that account can do.”

    Cybersecurity

    It’s worth mentioning here that every time a user logs in to the Codex app, CLI, or IDE Extension using either ChatGPT or an API key, the login details are cached locally in a plaintext file at ~/.codex/auth.json or in the operating system-specific credential store.

    “If you use file-based storage, treat ~/.codex/auth.json like a password: it contains access tokens,” OpenAI warns in its support documentation. “Don’t commit it, paste it into tickets, or share it in chat.”

    Interestingly, the npm package is far from the only delivery vector the threat actor uses to target Codex developers. Aikido said it observed an Android application named OpenClaw Codex Claude AI Agent (package name: “gptos.intelligence.assistant”) that runs the npm package within its PRoot sandbox and sends the Codex credentials to the same endpoint.

    “The APK itself is small (26 MB) and looks clean on a Play pre-publish scan,” Eriksen explained. “On first run, it extracts a Termux-derived Linux userland into the app’s private storage and runs Node.js inside it via PRoot.”

    “The version is not pinned, so the device pulls whatever is currently published on npm. The exfiltration has been in place since codexui-android@0.1.82. The package runs inside the app’s PRoot sandbox, where the in-app Codex sign-in writes its auth.json. Once the user signs in, the package reads that file out of the sandbox and ships the full OAuth blob to sentry.anyclaw.store/startlog.”

    Released by an entity named “BrutalStrike,” the Android app has more than 50,000 downloads. The same exfiltration chain has also been flagged in a second Android app linked to BrutalStrike: Codex (package name: “codex.app”), which has been downloaded over 10,000 times. The remaining three apps offered by the developer do not contain the functionality.

    Upon reaching out to the package author on GitHub, Aikido said they initially posted a comment stating they had lost access to their npm account, only to edit the response and post a different one in which they claimed they are “currently investigating this issue internally” and that they “have started removing the affected functionality and related data.”

    The author further claimed no credential data was shared with any third parties, without answering why this code was inserted only into the npm package build or why they needed access to the Codex tokens in the first place. The X profile linked to the author includes the domain “anyclaw[.]store.”

    WHOIS records indicate that the domain was registered on April 12, 2026, just two days after the very first version of the npm package (version 0.1.72) was uploaded to npmjs[.]com.

    Cybersecurity

    The development comes as threat actors are increasingly targeting real artificial intelligence (AI) developer tooling and workflows to steal credentials and burrow deeper into the software supply chain.

    Late last month, the Belgian security company also found that a deleted Google API key remains live for up to 23 minutes, a window that an attacker with access to a leaked key can take advantage of to gain access to user data and other APIs, including those related to Google Gemini. The median revocation window is around 16 minutes.

    “An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up,” researcher Joe Leon said. “If Gemini is enabled on the project, they can dump files you have uploaded and exfiltrate cached conversations.”

    Although Google first opted not to fix the issue, stating it’s a “known property of the system and not a security issue,” the tech giant has since decided to treat it as a P0 bug, making it a severe issue that “needs to be addressed immediately.”

    The findings, as with a similar 4-second exploitation window previously observed with deleted Amazon Web Services (AWS) access keys, highlight how credential revocation delays are exploitable and can be used to gain unauthorized access to the cloud environments, while defenders assume the credentials have been revoked.

    attack Authentication Chain Codex codexuiandroid npm OpenAI stolen Supply Tokens
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleAnthropic stock listing date nears as Claude AI maker gears up for one of the year’s most anticipated IPOs
    Next Article Anthropic Confidentially Files for What Could Be the Largest IPO Ever
    admin
    • Website

    Related Posts

    OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

    July 18, 2026

    EU urges Israel to halt settlement expansion as settlers attack children | Occupied West Bank News

    July 17, 2026

    New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

    July 17, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    7 Americans Sent to Disputed Kenya Ebola Site After New Trump Travel Ban

    Applications close in 48 hours — here’s everything Australian founders need to know about Stripe x Startup Battlefield

    Reformation IPO bets fast fashion can keep up with Big Fashion

    F.N.B. Corporation (FNB) Q2 2026 Earnings Call Transcript

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by