npm supply chain attack steals OpenAI Codex tokens from 29,000 users

Craig Nash
By
Craig Nash
Tech writer at All Things Geek. Covers artificial intelligence, semiconductors, and computing hardware.
9 Min Read
npm supply chain attack steals OpenAI Codex tokens from 29,000 users

An npm supply chain attack targeting OpenAI Codex users has exposed the danger of trusting even seemingly legitimate developer tools. A malicious npm package named codexui-android, presented as a remote web UI for OpenAI Codex, accumulated over 29,000 weekly downloads before researchers discovered it was systematically stealing authentication tokens.

Key Takeaways

  • The codexui-android package exfiltrated OpenAI Codex authentication tokens to attacker-controlled server sentry.anyclaw[.]store
  • Malicious code was added about a month after publication, building user trust before the attack began
  • Stolen refresh tokens do not expire, enabling persistent, silent impersonation indefinitely
  • The package captured access tokens, refresh tokens, ID tokens, and account IDs on every invocation
  • The package remained available for download from the repository at the time of reporting

How the npm supply chain attack worked

The npm supply chain attack operated through a deceptively simple mechanism. Once installed, codexui-android read the file ~/.codex/auth.json from within Codex’s PRoot sandbox environment, where the application stores authentication credentials after sign-in. The package then transmitted this sensitive data to sentry.anyclaw[.]store/startlog, masquerading as routine telemetry to a legitimate monitoring service. This exfiltration happened silently on every single invocation of the tool, meaning developers unknowingly leaked their credentials repeatedly.

The stolen payload included access_token, refresh_token, id_token, and account ID—a complete authentication package. What made this npm supply chain attack particularly dangerous was the refresh token’s indefinite validity. According to Aikido Security researcher Charlie Eriksen, “the refresh_token doesn’t expire” and “an attacker holding it can silently impersonate you indefinitely”. This means the compromise was not a temporary exposure but a permanent backdoor into compromised accounts.

Why this npm supply chain attack stayed hidden so long

The attackers employed a sophisticated social engineering strategy that made detection difficult. The GitHub repository associated with codexui-android appeared clean and legitimate, containing no obvious malicious code. The malicious behavior was introduced approximately one month after the package was first published, allowing the tool to build user trust and expand its download base before the attack began. This delay transformed what could have been immediately flagged as suspicious into a seemingly mature, trusted project.

The attacker’s choice to masquerade as Sentry—a well-known error-tracking and monitoring platform—further obscured the exfiltration. Developers who noticed network traffic to sentry.anyclaw[.]store would likely assume it was legitimate telemetry collection rather than credential theft. This npm supply chain attack succeeded precisely because it exploited the trust developers place in established tools and services.

The persistent access problem with stolen refresh tokens

The most alarming aspect of this npm supply chain attack is what attackers can do with a stolen Codex refresh token. Eriksen explained that “a stolen Codex refresh_token goes beyond access to a chat interface—it’s persistent, silent access to whatever that account can do”. Unlike a temporary session token that expires after hours or days, a refresh token that never expires enables indefinite impersonation without the account holder’s knowledge.

This distinction matters enormously for security posture. A developer discovering their API key was compromised can immediately rotate it. But if they do not know their Codex refresh token was stolen, the attacker maintains silent access to their account. The attacker can authenticate as the legitimate user, access their code, API usage, and any integrations connected to their Codex account. For organizations using Codex in development workflows, this represents a persistent supply chain compromise that could remain undetected for months.

npm supply chain attack comparison to other threats

This attack differs from typical npm security incidents in its sophistication and patient execution. Simple typosquatting attacks—where malicious packages use names similar to popular libraries—are caught quickly because they offer no legitimate functionality. The codexui-android package, by contrast, provided actual utility as a remote UI for Codex, making it genuinely useful to developers before turning malicious. This hybrid approach of functionality plus hidden malice is harder to detect than purely malicious packages.

The npm supply chain attack also contrasts with immediate injection attacks that activate on installation. By waiting a month before introducing malicious code, the package accumulated thousands of legitimate users and positive community sentiment. By the time the exfiltration began, the project had established credibility that made it less likely to be scrutinized by security researchers or corporate dependency scanners.

What happens after an npm supply chain attack discovery

At the time of reporting, codexui-android remained available for download from the repository. This means new developers could still unknowingly install the compromised package. Organizations that had already installed the package faced a difficult remediation timeline: they needed to identify which machines had installed it, rotate their Codex authentication credentials, and audit what the attacker accessed during the compromise window.

The npm supply chain attack raises uncomfortable questions about package vetting in the Node.js ecosystem. With over 29,000 weekly downloads, codexui-android had passed the basic threshold of popularity that sometimes creates a false sense of security. Many developers assume that packages with significant download numbers have been reviewed or validated. This attack demonstrates that popularity alone does not guarantee safety.

Could you have detected this npm supply chain attack?

Detecting this attack required either monitoring network traffic to identify exfiltration to unknown endpoints or reviewing the package’s source code carefully. Most developers do not inspect the source of every dependency they install. For teams using dependency scanning tools, the challenge was that the malicious code was added after the package’s initial publication, meaning security scans at installation time might have missed it if the package was already in use before the malicious update.

What should developers do after this npm supply chain attack?

Any developer who installed codexui-android should immediately rotate their OpenAI Codex credentials. This includes regenerating any API keys or authentication tokens associated with their Codex account. Organizations should audit their dependency logs to identify when the package was installed and cross-reference that with access logs for their Codex account to detect suspicious activity. Long-term, this attack underscores the importance of using software composition analysis tools that can detect behavioral anomalies in packages, not just known malware signatures.

Is npm inherently unsafe for developers?

npm itself is not inherently unsafe, but the open nature of the registry means malicious or compromised packages can reach users quickly. The codexui-android incident shows that even packages with substantial download numbers and seemingly legitimate purposes can harbor exfiltration code. Developers should treat all dependencies as potential attack vectors, verify that packages come from trusted sources, and monitor the network activity of tools they install in sensitive environments.

How does this npm supply chain attack affect AI tooling security?

As AI tools like OpenAI Codex become more integrated into developer workflows, they become attractive targets for attackers. Credentials for AI services often grant access to sensitive code, API quotas, and usage data. This npm supply chain attack demonstrates that the security perimeter for AI tools extends beyond the official applications—third-party packages that integrate with or wrap these tools are equally critical to secure. Developers building or distributing tools that interact with AI services must be especially vigilant about security practices.

This npm supply chain attack serves as a stark reminder that trust in the software supply chain is fragile. A tool can appear legitimate, function correctly, and still silently compromise the developers who use it. The 29,000 developers who downloaded codexui-android learned this lesson the hard way. The broader lesson for the developer community is that vigilance, monitoring, and skepticism toward dependencies—even popular ones—remains essential.

Edited by the All Things Geek team.

Source: TechRadar

Share This Article
Tech writer at All Things Geek. Covers artificial intelligence, semiconductors, and computing hardware.