npm package compromise — Image by Cybernews.

A popular Codex tool used by thousands of developers has been secretly stealing users’ login tokens for the past month, all by triggering the installation of a malicious npm package. It’s still available for download on Google Play as of today.

Hackers allegedly hid credential-stealing malware inside a popular OpenAI Codex developer tool downloaded by thousands of users.
The malicious code reportedly stole long-lived authentication tokens capable of keeping attackers logged into victims’ accounts without needing passwords.
Researchers say the case shows how trusted AI developer tools and npm packages are becoming a growing target for software supply-chain attacks.

Aikido Security researcher Charlie Eriksen, in a blog updated on Thursday, said the “legitimate-looking” npm package – called “codexui-android” – was pulling roughly 27,000 downloads per week after first appearing on npm.

Malware hidden in npm package, not GitHub repo

Presenting itself as a remote interface for OpenAI Codex users, the author is said to have designed the tool so that, once installed on the user's machine, it automatically pulls the malicious npm package at runtime, inside a hidden Linux environment.

“It's a functional tool that developers actually wanted rather than a typosquat or throwaway package. That's what makes it dangerous,” Eriksen writes.

Aikido Security researcher Charlie Eriksen warned the package was stealing authentication tokens.

What's more, the author who built the unofficial Codex developer tool apparently waited patiently until the app developed a robust user base before weaponizing it with extra lines of malicious code.

“The package was live for about a month without issues. However, about a month ago, all published versions contained extra code that you wouldn’t see in the GitHub repo,” Eriksen said.

This means a source code audit – used by developers to catch security vulnerabilities, bugs, and other coding violations – will not flag the package as malware.

malicious npm package author Github — Researchers linked the package author to a GitHub account under the name BrutalStrike. Image by Aikido Security

Furthermore, because the malicious code is pulled “after installation rather than bundled directly inside the APK,” the app can bypass Google Play’s pre-publication security scans, the research showed.

Stolen refresh tokens could allow long-term access

The malicious package is designed to extract users’ authentication tokens and send them (disguised as Sentry telemetry) to a remote server – presumably controlled by the author/hacker – every time the application launches.

Aikido said the package collected:

access tokens
refresh tokens
ID tokens
account identifiers

Another aspect that makes the credential-stealing even more sinister is that the package specifically targets “refresh tokens,” which, in this case, are stored in the “~/.codex/auth.json” file.

“The scary part here is that these are refresh tokens – they don’t expire,” Eriksen said.

agent dressed in black on a cloud, sky blue background, coding, codex sign on back — Researchers say stolen refresh tokens could give attackers long-term access to accounts. Image by Cybernews

Unlike temporary session tokens, a refresh token allows an attacker to continuously generate new access credentials, essentially giving them long-term access to a victim’s account.

Author has multiple apps on Google Play

Eriksen, who confronted the owner of the package before posting the blog, first connected the author to a “legitimate-looking GitHub account.”

Eriksen was also able to identify the owner via the moniker “BrutalStrike,” noting that “this person has multiple apps on the Android App store, including a game with 5m+ downloads.”

One of those Android apps – "OpenClaw Codex Claude AI Agent" – was also found to “drag the malicious npm build onto every device on launch.”

Brutal Strike Google Play apps — Researchers linked the package author to multiple Android apps on Google Play. Image by Aikido Security

Four other Play apps by the developer were determined to be free of the malicious infrastructure.

When asked for comment on the findings, Eriksen reported that the alleged developer posted a comment under the username “fruins2,” stating that they had lost access to their npm account, and even asked Aikido to remove the malicious package.

That comment was later deleted and replaced with a statement denying the credential theft allegations.

Yet, the authors own comments written in the source map – “// Send tokens to our startlog endpoint (always independent of Sentry) – “leaves no room for interpretation," the researcher says.

BrutalForce npm malware response — Researchers say comments inside the source map “leave no room for interpretation.” Images by Aikido Security

Eriksen says the pattern where “a threat actor invests real effort into building a credible, useful project to use as cover is worth flagging, pointing out that “the legitimacy (of the app) is the attack vector.”

“As AI tools proliferate and developers reach for productivity shortcuts, expect more of this,” Eriksen adds.