27000 Download Codex UI Tool Hacked for OpenAI Refresh Tokens

Post Views: 10

A Highly Popular Software Tool Used by Thousands of Mobile Developers Found Stealing Authentication Tokens

On May 27, 2026, researchers at Aikido Security uncovered a malicious npm package called codexui-android, which has been compromised to steal user authentication tokens.

This package is a remote web user interface for OpenAI Codex, a highly advanced artificial intelligence model that generates code.
With approximately 27,000 weekly downloads, the affected package poses a significant threat to mobile developers.

The Attackers’ Tactics

The attackers did not employ conventional tactics such as typosquatting or account hijacking. Instead, they created a genuine utility tool, likely to establish a user base before exploiting it for malicious purposes.

“They created a legitimate-looking tool, and then injected a malicious payload into it,” said the researchers.

The Malicious Code

Upon loading the module, the malicious code triggers instantly. The very first line of code imports a hidden script named chunk-PUR7OUAG.js, which promptly checks for local credentials.

According to the researchers, “The attackers embedded the malicious code within the published npm package, making it invisible during standard source code audits.”

If found, a data exfiltration routine is initiated to steal access_token, id_token, account ID, and the refresh_token from the auth.json file. Notably, the refresh_token does not expire, allowing the attackers to impersonate the victim indefinitely.

The Targeted Apps

Researchers observed that the threat actor specifically targeted Android mobile devices. Two apps, a paid productivity app called codex.app and another titled “OpenClaw Codex Claude AI Agent”, were identified as containing the same malicious infrastructure.

“Both apps passed Google’s pre-publish security scans undetected, as the initial APK file appeared clean,” said the researchers.

However, once installed, the apps extracted a Termux-derived Linux userland into private storage and launched Node.js using PRoot, ultimately running a command to install the latest version of the npm package.

The Aftermath

When confronted by the researchers, the author initially claimed to have lost access to their npm account, but later deleted it and replaced it with a corporate statement denying any credential theft.

“As of now, the malicious software package and the apps remain live online,” said the researchers.

A Warning to Developers

According to the researchers, “AI developer tooling is becoming a high-value target precisely because the tokens are powerful and long-lived… a threat actor invested real effort into building a credible, useful project to use as cover.”

As AI tools continue to proliferate and developers seek productivity shortcuts, expect more of this type of exploitation to occur.