29,000 Weekly Downloads of a Token Stealer

What Happened

A malicious npm package named codexui-android infiltrated the supply chain of OpenAI Codex users, exfiltrating authentication tokens to an attacker-controlled server at sentry.anyclaw[.]store. The package, published under the npm account "friuns" (Igor Levochkin), accumulated over 29,000 weekly downloads before detection by Aikido Security. The attack targeted developers integrating Codex into their workflows, capturing persistent authentication credentials that grant long-term API access.

The package posed as a legitimate Android UI component for Codex integration. Once installed, it executed code that harvested authentication tokens from the developer's environment and transmitted them to the attacker's infrastructure. The package remained actively maintained, indicating a sustained campaign rather than a one-off experiment.

Timeline

The attack demonstrates characteristics of an active supply chain compromise:

• Initial publication: The codexui-android package appeared on npm under the friuns account.
• Distribution phase: The package reached 29,000 weekly downloads, indicating sustained distribution over multiple weeks.
• Exfiltration period: Token theft occurred continuously during this period, with credentials sent to sentry.anyclaw[.]store.
• Detection: Aikido Security identified the malicious behavior and published their findings.
• Current status: As of disclosure, the package remained available and actively developed.

The gap between initial compromise and detection represents the window where your tokens could have been stolen without detection.

Which Controls Failed or Were Missing

This incident reveals five specific control failures:

1. Package verification before installation
   Your team installed a package without verifying the publisher's identity or examining the package contents. The npm account "friuns" had no established reputation, yet the package entered production dependencies.

2. Runtime behavior monitoring
   The malicious code made outbound connections to sentry.anyclaw[.]store during execution. No monitoring detected unauthorized network activity from the development environment.

3. Token lifecycle management
   Authentication tokens for Codex persisted in the environment without rotation schedules or expiration enforcement. Once stolen, these tokens granted indefinite access.

4. Dependency scanning
   Static analysis tools either weren't deployed or failed to flag suspicious patterns in the package code. The exfiltration logic should have triggered behavioral analysis.

5. Least privilege for development credentials
   Developers used tokens with full API access rather than scoped credentials limited to specific Codex functions. The stolen tokens provided broader access than necessary.

What the Relevant Standards Require

ISO/IEC 27001:2022 Control 8.31 (Security of information in use) requires organizations to identify and protect information assets during processing. Your Codex authentication tokens qualify as sensitive authentication information requiring protection throughout their lifecycle—including during development activities.

NIST 800-53 Rev 5 Control SA-12 (Supply Chain Protection) mandates that you "employ supply chain risk management processes, procedures, and tools" for software components. This includes verifying the identity and integrity of software suppliers before installation. The friuns account should have triggered verification requirements.

PCI DSS v4.0.1 Requirement 6.3.2 states that custom software must be reviewed prior to release to ensure it does not introduce security vulnerabilities. While this requirement targets custom code, the principle extends to third-party dependencies: you must validate that introduced packages don't create vulnerabilities. Installing unverified packages with access to authentication credentials violates this control objective.

SOC 2 Type II Common Criteria CC6.1 requires logical and physical access controls that restrict access to information assets. Authentication tokens represent access credentials that must be protected with the same rigor as passwords. Allowing these tokens to persist in environments without monitoring fails this criterion.

OWASP ASVS v4.0.3 Section 14.2.1 requires that build and deployment processes verify the integrity of all dependencies through checksums or signatures. The codexui-android package had no verifiable provenance, yet entered your build pipeline.

Lessons and Action Items for Your Team

Implement mandatory package verification

Before installing any npm package, require your team to:

• Check the publisher's account age and publication history.
• Review the package's GitHub repository for active maintenance.
• Verify that the package name matches the claimed functionality (codexui-android claimed Android UI but targeted development environments).
• Examine the package's dependencies for suspicious inclusions.

Add these checks to your onboarding documentation and make them part of code review.

Deploy runtime monitoring for development environments

Your development environments need the same network monitoring as production. Configure egress filtering to:

• Block outbound connections to unknown domains.
• Alert on any HTTP requests from package installation or execution.
• Log all network activity during npm install and require review before production use.

The connection to sentry.anyclaw[.]store should have triggered immediate investigation.

Rotate tokens on a fixed schedule

Implement a 30-day maximum lifetime for all AI service tokens. Configure automated rotation through your secrets management platform. For Codex specifically:

• Generate new tokens monthly.
• Revoke previous tokens immediately after rotation.
• Audit token usage to detect unauthorized access patterns.

If tokens were stolen weeks ago, rotation limits the attacker's window.

Scope tokens to minimum required permissions

Review every AI service token in your environment. Replace full-access tokens with scoped credentials that:

• Grant access only to specific Codex models or functions.
• Include IP address restrictions where possible.
• Expire automatically after defined periods.

A stolen token with limited scope reduces your exposure.

Add behavioral analysis to your dependency scanning

Static signatures miss novel attacks. Deploy tools that:

• Execute packages in sandboxed environments before production use.
• Monitor for file system access, network connections, and environment variable reads.
• Flag packages that access authentication credentials.

This catches exfiltration logic even when signatures don't exist.

Audit your current dependencies immediately

Run npm list in every project that uses Codex or similar AI tools. Search for:

• Packages from the friuns account.
• Any package containing "codex" in the name that you didn't explicitly install.
• Dependencies with recent version updates that introduced new network calls.

If you find codexui-android, assume token compromise and rotate all Codex credentials immediately.

The 29,000 weekly downloads mean this attack hit development teams at scale. The question isn't whether supply chain attacks will target AI development tools—it's whether your controls can detect them before your tokens end up in an attacker's infrastructure.