Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens

A polished npm package called `codexui-android` — a remote web UI for OpenAI Codex with 27,000 weekly downloads and an active GitHub repo — was silently exfiltrating users' Codex authentication tokens (access, refresh, and ID tokens) to an attacker-controlled server for over a month. The malicious code was injected only into the published npm artifact, not the GitHub source, making it invisible to source audits. It runs unconditionally on startup, reads `~/.codex/auth.json`, and POSTs the full OAuth blob to `sentry.anyclaw.store` — a domain designed to mimic legitimate Sentry telemetry traffic. The same author also ships an Android app on Google Play that automatically pulls and runs the malicious npm package on launch, extending the attack surface to mobile users. The threat actor built a genuinely useful tool to establish credibility before weaponizing it, representing a sophisticated evolution of supply chain attacks targeting AI developer tooling.