OpenAI Codex npm Supply Chain Attack: What IT Leaders Need to Know

The software supply chain is under attack — and this time, artificial intelligence development tools are in the crosshairs.

Cybersecurity researchers recently disclosed a sophisticated npm supply chain attack targeting developers using OpenAI Codex, one of the most widely adopted AI coding tools on the market. The malicious package — named codexui-android — was quietly harvesting and exfiltrating authentication tokens to an attacker-controlled server, all while appearing to be a legitimate, actively-maintained development utility. With over 29,000 weekly downloads, the scale of exposure is significant.

Source

For IT and security leaders at mid-to-large enterprises, this isn't just a developer problem. It's an enterprise risk problem.

What Happened: The codexui-android npm Supply Chain Attack
The attack followed a pattern that's becoming increasingly common among sophisticated threat actors: rather than creating a throwaway package with an obvious typosquat name, the attacker embedded malicious code into a functional, well-maintained npm package that had built genuine user trust over time.

The package was published to npm and promoted via GitHub as a remote web UI for OpenAI Codex. Shortly after establishing a user base, the attacker introduced credential-harvesting code — designed to extract the contents of Codex's local authentication file (~/.codex/auth.json) and silently ship them to a remote server masquerading as Sentry, a well-known application monitoring platform.
The stolen data included:

Access tokens
Refresh tokens
ID tokens
Account IDs

The most alarming element? The refresh token doesn't expire. According to security researchers at Aikido Security, an attacker holding a stolen Codex refresh token can silently impersonate the victim indefinitely — gaining persistent access to whatever that account can do.

Why This Attack Is Different — and More Dangerous
Traditional supply chain attacks often rely on typosquatting or newly created packages with little credibility. This attack was more calculated:

1. Trust was built before the attack began. Malicious code was only introduced roughly a month after the package was published, after downloads had already scaled up. The associated GitHub repository remained clean, providing a false sense of legitimacy.

2. The delivery was multi-vector. Beyond the npm package itself, the same credential exfiltration chain was found embedded in two Android applications on the Google Play Store — released under the developer name "BrutalStrike" — with a combined download count exceeding 60,000 installs. The apps ran the malicious npm package inside a sandboxed Linux environment, capturing Codex credentials on mobile devices as well.

3. The exfiltration infrastructure was deliberate. The attacker's domain (sentry.anyclaw[.]store) was registered just two days after the first version of the npm package was published — a clear indicator of premeditation.

The Broader Threat: AI Developer Tooling as an Attack Surface
This incident is part of a growing and deeply concerning trend: threat actors are targeting AI developer tools and workflows specifically because of the high-value access they enable.

Codex credentials don't just unlock a chat interface. They unlock API access, code execution environments, and integrated development workflows that can touch sensitive systems across an organization. In enterprise environments, a compromised developer credential can be the first step in a much larger intrusion.

OpenAI itself warns developers: treat ~/.codex/auth.json like a password — it contains access tokens. Don't commit it, paste it into tickets, or share it in chat.
The same principle extends to every AI tool your developers use. As AI becomes embedded in DevOps pipelines, code review, and cloud automation, the credentials that power those tools become high-priority targets.

What Your Organization Should Do Right Now

If your teams use OpenAI Codex — or any AI-assisted development tool — this incident should prompt an immediate review of your developer security controls.

Immediate Actions:

Audit npm dependencies across development environments for the codexui-android package and remove it immediately.
Rotate Codex credentials for any developers who may have installed the package, particularly since version 0.1.82.
Search for the Android apps ("OpenClaw Codex Claude AI Agent" / package: gptos.intelligence.assistant and "Codex" / package: codex.app) on any company-managed or BYOD devices and remove them.
Check network logs for outbound connections to sentry.anyclaw[.]store.

Strategic Security Controls:

Implement a vetted package registry policy. Require developers to use an internal or approved mirror of npm rather than pulling directly from the public registry without review.

Deploy secrets scanning in CI/CD pipelines. Tools that detect credential files, tokens, and API keys committed to repositories or bundled into build artifacts are essential.

Extend endpoint detection to developer workstations. Developer machines are now part of the software supply chain. EDR coverage should reflect this reality.
Apply Zero Trust principles to AI tool credentials. Treat AI API keys and authentication tokens with the same rigor as cloud service credentials — vaulted, rotated regularly, and monitored for anomalous use.
Establish a software composition analysis (SCA) program. Continuously scan open-source dependencies for known vulnerabilities and behavioral anomalies, not just CVEs.

The Credential Revocation Window: Another Layer of Risk
The Aikido Security research team also surfaced a related threat worth noting: even after credentials are revoked, there can be a window of continued exposure. In a separate finding, they identified that deleted Google API keys can remain active for up to 23 minutes — enough time for an attacker with a leaked key to access user data and cached conversations, including those tied to Google Gemini. The median revocation window was found to be approximately 16 minutes.

This mirrors a similar finding with deleted AWS access keys, where a 4-second exploitation window was documented. The implication is clear: credential revocation is not instantaneous, and incident response plans must account for this gap.

For security teams, this means treating any credential exposure as a confirmed breach until forensic evidence confirms otherwise — not just rotating the key and moving on.

How InfoSight Can Help

At InfoSight, we help organizations close the gaps that attacks like this exploit.

Our security services are built for enterprises that need more than a checkbox compliance program — they need real visibility, tested defenses, and expert partners who stay ahead of emerging threats.
Our capabilities directly relevant to supply chain and credential security include:

Penetration Testing — including developer environment and CI/CD pipeline assessments to identify credential exposure and supply chain weaknesses before attackers do.

Vulnerability Management — continuous scanning and prioritization of risks across your software stack, including open-source dependencies.

Security Monitoring & Threat Detection — 24/7 monitoring for indicators of compromise, including anomalous outbound connections and credential misuse.

Security Program Assessments — NIST CSF-aligned reviews that evaluate your organization's readiness against modern threat vectors, including AI-era supply chain risks.

The Bottom Line
The codexui-android npm supply chain attack is a wake-up call for any organization that has embraced AI-powered development tools — which, in 2026, is most of them. The attackers didn't break into a server or exploit a zero-day vulnerability. They built trust, waited, and quietly drained credentials at scale.
Your security strategy needs to be as adaptive as the threat landscape. That means extending controls to cover developer workstations, AI tool credentials, and third-party packages with the same rigor you apply to your perimeter and cloud environments.

Ready to assess your organization's exposure to supply chain and credential-based attacks? Contact InfoSight today to schedule a conversation with our security team.