Codex UI Token Theft Shows AI Tooling Supply-Chain Risk

Aikido Security reported on May 27, 2026 that a third-party package named codexui-android, promoted as a remote web UI for OpenAI Codex, was exfiltrating local Codex authentication material. The researcher said the public GitHub repository looked clean, while the malicious logic existed in the published npm artifact and ran when the tool started.

The practical risk is not a confirmed breach of OpenAI's service. It is a developer supply-chain incident aimed at local credentials used by AI coding tools. A useful tool gained real users, then the published package read `~/.codex/auth.json` or `$CODEX_HOME/auth.json` and sent the contents to infrastructure made to resemble telemetry. Anyone who installed and ran it should treat Codex credentials as exposed.

Aikido's Charlie Eriksen described codexui-android as a polished, functional remote UI for Codex with roughly 27,000 weekly downloads. That point matters because the incident was not classic typosquatting. The package provided a capability developers wanted, built trust, and then used the distribution channel to run credential-stealing code.

According to the report, the published npm entry point imported a compiled chunk before normal application code. That chunk checked the local Codex auth file, extracted the stored authentication material when present, encoded it, and posted it to sentry.anyclaw.store. Aikido said the malicious code was absent from the public GitHub source and present in the npm package artifact.

The file path matters. Codex CLI sign-in stores local credentials so the tool can reuse a login without manual key copy-paste each time. A package running on the developer's machine can attempt to read that local state if the operating system and sandbox do not prevent it. Aikido reported that the stolen material included access, refresh, and ID token fields plus account information.

That turns an npm package into an identity problem. A stolen coding-agent token can let an attacker interact with services as the developer's account or API organization, depending on token scope and account configuration. The direct response is not only uninstalling the package. It is revoking the relevant OpenAI sessions, OAuth grants, and API keys, then checking usage, billing, logs, and project access.

Many teams still inspect a GitHub repository and assume the package installed from npm matches it. This incident shows why that assumption is weak. The artifact users run is the tarball published to the registry, not the repository page. Build steps, generated files, sourcemaps, omitted files, or malicious publish-time changes can create a gap between the reviewed source and the executed package.

npm provenance and trusted publishing can help because they create verifiable links between source, build workflow, and package publication. They do not replace review of the artifact or the build pipeline. If the workflow itself is compromised, or if a package is not using provenance, teams still need holdback windows, package diffing, network observation, and a policy for new developer tools that ask for powerful local access.

Aikido also reported Android applications from the same publisher that pulled codexui-android at runtime into a Linux-like environment on the device. That made the mobile path more difficult to reason about. A static app review could look at the submitted APK and miss the final code executed after first launch, because the app fetched the latest npm package when it ran.

This is a reminder that mobile app stores and npm registries are not separate worlds when developer tools embed runtimes. An Android wrapper can become an npm execution environment. A desktop utility can become a browser-accessible remote UI. A local AI tool can become a credential broker. Security review has to follow the runtime behavior, not only the packaging format.

If codexui-android or the associated Android apps were installed and run, remove them and assume local Codex credentials were exposed. Log out of Codex CLI, delete or rotate local credential state as appropriate, revoke API keys created for Codex, disconnect unwanted OAuth grants, and review active sessions. OpenAI's help documentation notes that disconnecting a Codex CLI connector and revoking generated API keys are separate actions, so both paths should be checked.

Then look for evidence of abuse. Review OpenAI usage, billing, API keys, organization membership, connected apps, project files, and any downstream services that the coding agent could reach. If the tool was used inside a corporate environment, check endpoint logs for connections to the reported exfiltration host, package install history, shell history, lockfile changes, proxy logs, and developer workstations that used the same account.

AI coding tools should run with dedicated identities and narrow workspaces. A personal account with broad API access, cloud access, repository access, and local filesystem access is too attractive a target. Where possible, use separate projects or organizations, scoped keys, spending limits, short-lived credentials, and explicit approval for actions that add dependencies, run package managers, open network listeners, or start remote UIs.

Teams should also make egress visible. A tool that reads a credential file and immediately contacts an unknown domain should be easier to spot in a managed workstation environment. That does not mean blocking every package download. It means developer endpoints need a route for high-risk events: new package execution, credential-file reads, unusual DNS, outbound POSTs to new infrastructure, and AI tool processes running outside approved directories.

Public reporting does not provide a confirmed victim count, a full list of accounts whose tokens were accepted by the attacker's infrastructure, or an official OpenAI incident report about abuse seen after the disclosure. The download numbers describe package reach, not proven successful token theft for every install. Android install counts also do not prove every user signed in with Codex inside the app.

Those limits matter. The strongest statement is that a published package contained credential-exfiltration code and that users who ran it with local Codex auth material should respond as though those credentials were copied. The broader lesson is durable: AI developer tooling is now a credential-rich software supply chain, and useful unofficial helpers deserve the same scrutiny as build plugins, CI actions, and browser extensions.