The gist: Attackers have infected a popular npm package (codexui-android, ~27,000 weekly downloads) with malware that steals long-lived OpenAI tokens while successfully evading code audits and Google Play reviews.
A sophisticated attack targets developers using the npm package codexui-android: malware steals OpenAI authentication tokens, particularly refresh tokens with no expiration date, which enable unlimited account access.
The npm package codexui-android, which serves as a remote interface for OpenAI Codex developers and records approximately 27,000 downloads per week, has become the target of a coordinated malware campaign. Security researcher Charlie Eriksen from Aikido Security discovered that the package was infected with malicious software that specifically exfiltrates authentication tokens from OpenAI developers.
The campaign demonstrates high strategic sophistication: the attacker initially released the package fully functional and without malicious code. Only after a sufficiently large user base had developed—approximately one month later—was the application modified. The malicious code is loaded at runtime from a hidden Linux environment, not from the publicly visible GitHub repository. This method circumvents static code audits and automated security checks as well as Google Play’s review process before app publication, since the harmful code is not directly integrated into the APK installation package.
Particularly critical are the stolen refresh tokens, which are stored in the local file ~/.codex/auth.json. Unlike temporary session IDs, these tokens have no expiration date. An attacker in possession of a refresh token can continuously generate new access keys and thus gain permanent access to the affected account without knowing the actual password. Each time the infected application starts, access tokens, ID tokens, and account identifiers are additionally extracted and transmitted to an external server disguised as telemetry data from the Sentry analytics service.
Analysts link the compromised npm package to a GitHub account under the pseudonym BrutalStrike. This actor operates multiple applications on Google Play, including a mobile game with over five million downloads. Another application named OpenClaw Codex Claude AI Agent uses the same infrastructure and loads the compromised npm package on each launch.
Source: www.it-daily.net · Published May 31, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.0.