Listen to this Post
Introduction: A New Era of Supply Chain Attacks Targets AI Developers
The rapid adoption of artificial intelligence development tools has opened new opportunities for innovation, but it has also created an attractive attack surface for cybercriminals. Security researchers have uncovered a sophisticated software supply chain campaign targeting developers who use OpenAI Codex through what appeared to be a legitimate remote web interface. Unlike traditional malware operations that rely on fake packages or typosquatting techniques, this campaign weaponized a fully functional and actively maintained software package trusted by thousands of users.
The discovery highlights a troubling trend where attackers are increasingly embedding malicious functionality into legitimate development tools, allowing them to harvest credentials, compromise accounts, and gain long-term access to developer environments without immediately raising suspicion.
Legitimate-Looking Codex Tool Concealed Credential Theft Operations
Cybersecurity researchers at Aikido Security revealed that a package named codexui-android was being promoted through GitHub and npm as a remote web user interface for OpenAI Codex. The package gained significant traction among developers, reportedly attracting more than 29,000 weekly downloads.
What made the operation particularly dangerous was its authenticity. The package was not a clone, counterfeit, or typo-based imitation. It provided real functionality and underwent active development, helping establish credibility within the developer community.
For weeks, users interacted with the software believing it was a useful productivity tool, unaware that hidden code had been quietly collecting and transmitting their authentication credentials to an attacker-controlled server.
Malicious Code Added After Trust Was Established
Investigators discovered that the package initially appeared benign when first uploaded. The suspicious functionality was introduced roughly one month later, a tactic commonly used by threat actors seeking to avoid early detection.
By delaying the deployment of malicious code, attackers allowed the project to accumulate downloads, positive engagement, and community trust before activating credential theft mechanisms.
This approach demonstrates an increasingly sophisticated understanding of software ecosystem trust models, where reputation itself becomes a weapon.
How Codex Authentication Tokens Were Stolen
The malicious package specifically targeted the file:
~/.codex/auth.json
This local file stores OpenAI Codex authentication data for users who sign in through ChatGPT accounts, API credentials, IDE extensions, or command-line interfaces.
Researchers found code capable of extracting highly sensitive information, including:
Stolen Data Included
Access Tokens
Refresh Tokens
ID Tokens
Account Identifiers
The information was then transmitted to a remote domain disguised to resemble a legitimate monitoring platform.
The destination server used the domain:
sentry.anyclaw.store
The naming convention appears intentionally designed to imitate Sentry, a well-known application monitoring and error-tracking service frequently used by software developers.
Why Refresh Tokens Create a Long-Term Security Risk
Among the stolen assets, refresh tokens represent the most serious threat.
Unlike temporary access tokens, refresh tokens can often be used repeatedly to generate new authentication sessions. According to researchers, possession of a valid refresh token could allow attackers to maintain persistent access to victim accounts without triggering immediate suspicion.
This transforms the incident from a simple credential theft operation into a potentially long-term account takeover campaign.
An attacker who obtains these tokens may continue impersonating users long after passwords have been changed or active sessions have expired.
OpenAI Had Already Warned Developers About Local Credential Storage
OpenAI documentation has previously warned developers about the sensitivity of locally stored authentication files.
The company explicitly advises users to treat the auth.json file as a password because it contains valuable access credentials.
Security experts frequently emphasize that developers often underestimate the risk posed by local credential caching. While convenient for workflow automation, these files become prime targets for malware and insider threats.
The Codex campaign serves as a real-world example of why those warnings exist.
Android Applications Expanded the Attack Surface
The investigation uncovered a second delivery mechanism beyond npm.
Researchers identified an Android application called OpenClaw Codex Claude AI Agent that incorporated the malicious package within a PRoot-based Linux sandbox environment.
The application reportedly accumulated more than 50,000 downloads.
Rather than directly embedding malicious functionality, the Android application dynamically executed the npm package within a virtualized Linux environment. This architecture helped conceal malicious behavior while allowing attackers to continuously leverage whatever version of the npm package was currently available.
As soon as users authenticated within the app, the credentials became accessible to the malicious package and were subsequently transmitted to the remote server.
Second Android Application Also Linked to Credential Theft
Researchers additionally identified another Android application named Codex associated with the same developer entity, BrutalStrike.
The application reportedly exceeded 10,000 downloads before attracting attention from security researchers.
Investigators found the same exfiltration infrastructure and credential theft mechanisms embedded within this software.
Interestingly, several other applications published by the developer did not contain the same functionality, suggesting a highly targeted effort focused specifically on AI development ecosystems.
Domain Registration Timeline Raises Serious Questions
Further investigation into infrastructure records revealed a suspicious timeline.
WHOIS data showed that the domain associated with the credential collection server was registered on April 12, 2026.
This registration occurred only two days after the earliest version of the npm package appeared online.
The close timing between package publication and domain registration suggests that both components were likely planned as part of a coordinated operation from the beginning.
Such evidence weakens the possibility that the credential theft functionality was added accidentally or through a later compromise by unrelated attackers.
Author Responses Failed to Address Critical Questions
When confronted by researchers, the package maintainer initially claimed to have lost access to the npm account.
The explanation was later modified, with the maintainer stating that an internal investigation was underway and that affected functionality was being removed.
Additional statements asserted that collected credentials had not been shared with third parties.
However, researchers noted that several critical questions remained unanswered.
Most importantly:
Why was token collection functionality introduced only in npm builds?
Why was credential access necessary at all?
Why was the collection endpoint linked to infrastructure associated with the author?
The lack of clear answers has continued to fuel concerns within the security community.
AI Development Ecosystems Become Prime Targets
This incident represents a broader evolution in cybercrime strategy.
Historically, attackers targeted enterprise software, cloud credentials, and source code repositories. Today, AI tooling has become an equally valuable target.
Modern AI environments frequently contain:
API keys
Proprietary datasets
Source code
Customer information
Cloud infrastructure credentials
Sensitive business workflows
Compromising an AI developer account can provide attackers with direct access to multiple interconnected systems simultaneously.
As organizations increasingly rely on AI-assisted development, these environments become lucrative targets for credential theft campaigns.
What Undercode Say:
The Codex credential theft campaign demonstrates a fundamental shift in supply chain attack methodology.
Instead of creating obviously malicious software, attackers are investing time into building functional products.
Trust has become the primary attack vector.
Developers often evaluate software based on popularity, download counts, GitHub activity, and community engagement.
Threat actors understand this behavior.
By delaying malicious modifications until after trust is established, they dramatically increase the success rate of credential theft operations.
The use of a real package rather than a fake clone shows operational maturity.
The attacker recognized that long-term persistence would generate greater returns than quick malware deployment.
The targeting of AI developer tools is especially noteworthy.
AI ecosystems increasingly hold privileged access across entire software development pipelines.
A compromised AI developer account may expose source repositories, cloud infrastructure, API gateways, deployment systems, and sensitive internal documentation.
Refresh tokens create another serious problem.
Unlike passwords, refresh tokens are frequently overlooked during incident response.
Organizations may rotate credentials while failing to invalidate existing refresh sessions.
This creates opportunities for silent re-entry.
The Android delivery mechanism is equally significant.
Embedding npm functionality inside a Linux sandbox demonstrates technical sophistication.
Many mobile security scans focus on static indicators.
Dynamic package retrieval can help attackers bypass initial reviews.
The infrastructure timeline also deserves attention.
Domain registration shortly after package publication suggests planning rather than opportunistic abuse.
This was likely not a spontaneous attack.
Evidence points toward a coordinated campaign.
Developers should no longer assume that popular open-source projects are inherently trustworthy.
Package reputation can be manipulated.
Download counts can be misleading.
Even active maintenance may conceal malicious intent.
The security industry has spent years focusing on dependency confusion and typosquatting.
This campaign highlights a different challenge.
Trusted software itself may evolve into a threat.
Future supply chain defense strategies must include continuous behavioral monitoring.
Code audits cannot be one-time events.
Every package update should be treated as a new security assessment.
Organizations should also minimize credential persistence whenever possible.
Authentication files containing reusable tokens represent high-value targets.
Short-lived credentials and stronger token revocation controls will become increasingly important.
The broader lesson is clear.
As AI development becomes mainstream, threat actors will increasingly attack the tools developers trust most.
The battlefield is shifting from traditional software repositories toward AI-centric development ecosystems.
Deep Analysis: Linux Commands for Investigating Similar Threats
Security teams investigating potential token theft campaigns can use the following Linux commands:
Identify Suspicious Network Connections
netstat -tulpn ss -tulpn
Search for Credential Files
find ~ -name auth.json find / -name ".json" 2>/dev/null
Monitor File Access Activity
auditctl -w ~/.codex/auth.json -p rwxa ausearch -f ~/.codex/auth.json
Inspect Installed npm Packages
npm list -g --depth=0 npm audit
Search for Suspicious Domains
grep -R "anyclaw" ~/.npm grep -R "sentry.anyclaw.store" / Analyze Running Node.js Processes
ps aux | grep node lsof -i
Capture Outbound Traffic
tcpdump -i any host sentry.anyclaw.store
Verify Package Integrity
npm view codexui-android npm pack --dry-run
These commands help defenders identify unauthorized access attempts, suspicious package behavior, and credential exfiltration activities before they escalate into larger compromises.
✅ Security researchers did identify malicious credential exfiltration functionality within the codexui-android npm package.
✅ The package reportedly targeted OpenAI Codex authentication files and transmitted sensitive tokens to an external server, creating a legitimate security concern.
✅ The incident reflects a broader trend of attackers targeting AI development environments and software supply chains rather than relying solely on traditional malware delivery methods.
Prediction
(+1) AI-focused developer tools will receive significantly stronger security auditing and package verification processes over the next year.
(+1) Software repositories will increasingly deploy behavioral analysis systems capable of detecting credential harvesting activity inside legitimate packages.
(-1) Threat actors will continue targeting authentication tokens instead of passwords because token theft often provides longer-lasting and stealthier access.
(-1) Additional AI-related npm, Python, and IDE extension ecosystems are likely to experience similar supply chain attacks as adoption continues to grow.
(+1) Organizations that implement short-lived tokens, continuous monitoring, and automated credential revocation will significantly reduce the impact of future supply chain compromises.
▶️ Related Video (78% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




