Listen to this Post
Introduction:
The software supply chain, the intricate web of dependencies that modern development relies upon, has proven to be a prime vector for sophisticated cyberattacks. In a stark reminder of this reality, security researchers have exposed a malicious campaign where a popular npm package, `codexui-android`, marketed as a legitimate remote web UI for OpenAI’s Codex assistant, was stealthily exfiltrating developer authentication tokens for over a month. This attack is particularly insidious because it uses a highly functional tool with a clean public GitHub repository to build trust, while its npm build conceals code that steals credentials, including a non-expiring refresh token that grants an attacker persistent, silent access to a victim’s account indefinitely.
Learning Objectives:
– Understand the Mechanics: Analyze how the `codexui-android` package exfiltrated sensitive `auth.json` data to a masqueraded server.
– Implement Detection and Mitigation: Learn specific Linux and Windows commands to identify compromised tokens and malicious packages in your environment.
– Apply Supply Chain Hardening: Acquire practical techniques for auditing npm packages and securing CI/CD pipelines against similar future threats.
You Should Know:
1. Anatomy of the Attack: The Trust-Building Trojan
The `codexui-android` campaign represents a sophisticated evolution in supply chain attacks. Unlike typosquatting or throwaway packages, this was a functional tool that underwent active development. Its associated GitHub repository remained clean, meaning any manual code review there would have missed the malicious payload. The nefarious code was introduced only in the published npm build about a month after the initial release, a tactic designed to build a user base and expand its reach before the “explosion”.
Step‑by‑step guide explaining what this does and how to use it.
For developers who may have been exposed, immediate action is required. The malicious code specifically targeted the `~/.codex/auth.json` file, a plaintext credential cache created upon login to the Codex CLI, app, or IDE extension. The stolen data, which included the `refresh_token`, `access_token`, `id_token`, and account ID, was then exfiltrated to a domain masquerading as the legitimate error-tracking platform Sentry: `sentry.anyclaw[.]store`.
To check for compromise and mitigate the risk, follow these steps:
Step 1: Verify if your tokens have been stolen.
– Linux/macOS:
Check the modification time of the auth.json file ls -la ~/.codex/auth.json Check for any unexpected network connections related to the malicious domain (historical logs) sudo grep -r "sentry.anyclaw.store" /var/log/ Check your npm logs for the malicious package npm list -g --depth=0 | grep codexui-android npm list --depth=0 | grep codexui-android
– Windows (PowerShell):
Check the modification time of the auth.json file (typically found in %USERPROFILE%\.codex) Get-ChildItem ~\.codex\auth.json | Select-Object LastWriteTime Search for the package in global and local node_modules npm list -g --depth=0 | Select-String "codexui-android" npm list --depth=0 | Select-String "codexui-android"
Step 2: Immediately Revoke Compromised Tokens
If any indicators are found, or as a precaution, you must revoke the stolen tokens. Because the `refresh_token` does not expire, revoking it is the only way to terminate the attacker’s persistent access.
– Action: Immediately go to your OpenAI/Codex account settings and revoke all existing sessions and tokens. Generate new API keys and log in again to create a new `auth.json` file.
Step 3: Remove the Malicious Package
– Uninstall the `codexui-android` package from your projects and globally:
npm uninstall -g codexui-android npm uninstall codexui-android
2. The Mobile Vector: When Android Apps Weaponize npm
The campaign’s attack surface was broader than just the npm registry. Researchers identified an Android application named “OpenClaw Codex Claude AI Agent” (by “BrutalStrike”) with over 50,000 downloads that utilized the same malicious npm package. The app itself appeared clean on pre-publish scans but, upon first run, would extract a Termux-derived Linux userland into its private storage and execute Node.js via a PRoot sandbox. Crucially, the app did not pin a specific package version, meaning it automatically pulled the latest malicious code from npm as soon as it was published. A second app, simply named “Codex,” with over 10,000 downloads, was found to contain the same exfiltration chain.
Step‑by‑step guide explaining what this does and how to use it.
This mobile component highlights the risk of transitive dependencies and the need for runtime monitoring. If you have installed either of these apps, follow this incident response plan.
Step 1: Identify and Remove Malicious Apps
– Action: On your Android device, go to `Settings` > `Apps`. Locate and uninstall any applications named “OpenClaw Codex Claude AI Agent” (package name: `gptos.intelligence.assistant`) or “Codex” (package name: `codex.app`).
Step 2: Scan for Compromise and Revoke Tokens
– Even after uninstalling the app, assume any Codex tokens used on that device were compromised.
– Linux/macOS/Windows: Follow Step 2 from the previous section to revoke all tokens and log out of all active Codex sessions.
Step 3: Implement Package Pinning in Your Workflows (A Lesson Learned)
– To prevent similar “live-updating” attacks in your own projects or CI/CD pipelines, always pin dependencies to a specific, audited version hash, not just a version range.
– Example `package.json` (instead of `”codexui-android”: “^0.1.82″`):
"codexui-android": "0.1.81" Pin to the last known good version
– Use tools like `npm shrinkwrap` or `package-lock.json` to lock down the entire dependency tree.
3. Proactive Defense: Auditing npm and Securing CI/CD
This attack underscores the critical need for proactive security measures within the software supply chain. Defenders must shift left, implementing automated checks that can detect malicious behavior before packages are ever installed or deployed. The `auth.json` file, as OpenAI warns, should be treated like a password—never committed to repositories, pasted into tickets, or shared.
Step‑by‑step guide explaining what this does and how to use it.
Here is a practical guide to harden your development environment against similar supply chain threats.
Step 1: Audit Your Dependencies Automatically
– Use tools to scan for known malicious packages. For example, `npm-audit` is a good start, but dedicated tools like `slopcop` can intercept suspicious behaviors before they execute.
Install and run slopcop to check a package before install (example) npx slopcop install codexui-android
Step 2: Monitor and Block Malicious Network Egress
– Configure your firewall or EDR (Endpoint Detection and Response) to block outbound connections to known malicious domains. Add the following IOCs (Indicators of Compromise) to your blocklists:
– `sentry.anyclaw[.]store`
– `anyclaw[.]store` (the registered domain)
– Example Linux iptables rule to block the domain:
Resolve the IP and block it (do this in a script for automation) sudo iptables -A OUTPUT -d <IP_OF_anyclaw.store> -j DROP
(Note: It’s better to use DNS filtering or a next-gen firewall for domain-based blocking, as IPs can change.)
Step 3: Secure Your CI/CD Pipelines
– Never store long-lived credentials like npm publish tokens in plaintext in environment variables or `~/.npmrc`. Use a secrets management system (e.g., HashiCorp Vault, GitHub Secrets, or cloud provider KMS).
– Implement a binary authorization policy that only allows packages from approved, pre-scanned internal registries, blocking direct pulls from the public npm registry in production builds.
4. Incident Response: Detecting Lateral Movement and Worm-like Activity
The sophistication of this attack is not isolated. Concurrent research has uncovered worm-like npm attacks that, once a system is compromised, can find publish tokens and propagate themselves to other packages, expanding the compromise further. This means a single stolen token can lead to a cascading failure across multiple projects.
Step‑by‑step guide explaining what this does and how to use it.
If you suspect a more extensive compromise, follow these advanced detection steps.
Step 1: Hunt for Unusual npm Publishing Activity
– Command (Linux/macOS/Windows): Check the `~/.npmrc` file and environment variables for any unexpected `//registry.npmjs.org/:_authToken` entries.
– Action: Revoke these tokens immediately via the npm website. Check your npm account’s “Tokens” section for any unrecognized tokens.
Step 2: Scan for Malicious npm Packages Across Your Environment
– Use community-driven tools to scan your entire file system for known compromised packages from this and other attacks.
– Example using `npm-vscan`: This Python-based scanner can detect 70+ compromised packages from major supply chain attacks.
git clone https://github.com/mainspring/npm-vscan.git cd npm-vscan pip install -r requirements.txt python scanner.py --path /path/to/your/projects/
Step 3: Implement Least Privilege for Publish Access
– Ensure that CI/CD systems and developer machines used for publishing to npm do not have overly permissive tokens. Use automation tokens with granular scope (e.g., limited to a single package) and short lifespans.
– Recommendation: Rotate all npm tokens, API keys, and any secrets that might have been present on the compromised system.
What Undercode Say:
– Eternal Access is the Real Threat: The non-expiring refresh token is the crown jewel for attackers, providing persistent, silent access far beyond a simple session cookie theft. This elevates a standard credential theft to a long-term account compromise.
– Build vs. Source: A Critical Trust Gap: The clean GitHub repo vs. malicious npm build highlights a dangerous trust assumption. Defenders cannot rely on source code audits alone; they must implement runtime analysis of the binaries/artifacts actually consumed from registries.
– AI Tooling is a Prime Target: This attack is a clear signal that AI development tools and the accounts with access to them are high-value targets for adversaries, who seek to steal API credits, view proprietary code, and potentially poison models or training data.
Prediction:
– +1 Expect a rise in “trust-building trojans” in open-source registries, where attackers maintain a legitimate project for weeks or months before weaponizing a specific release.
– +1 Security vendors will increasingly integrate runtime behavior analysis and network egress monitoring into their software composition analysis (SCA) tools, moving beyond static vulnerability scanning.
– -1 The damage from this campaign will be long-lasting, as the compromised non-expiring refresh tokens could have been stored for future use, leading to a wave of delayed account takeovers and data breaches that may not be immediately linked to this incident.
▶️ Related Video (70% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Mohit Hackernews](https://www.linkedin.com/posts/mohit-hackernews_a-legitimate-looking-npm-package-for-openai-share-7467149364927307776-5HvC/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
