Vernon Yai is a titan in the world of data governance and risk management, known for his relentless pursuit of securing the software supply chains that power our modern AI infrastructure. In this discussion, we explore the alarming discovery of the codexui-android npm package exploit, a sophisticated supply chain attack that turned a legitimate-looking developer tool into a conduit for credential theft. We delve into how over 29,000 weekly users were put at risk, the deceptive tactics used to mask data exfiltration as application monitoring, and the critical vulnerabilities lingering in cloud credential revocation processes.
The conversation centers on the strategic evolution of supply chain attacks, specifically those targeting AI developers through functional npm packages and Android sandboxes. We examine the mechanics of the codexui-android breach, the long-term implications of stolen persistent authentication tokens, and the dangerous latency period inherent in revoking cloud API keys.
Many developers rely on third-party web UIs and npm packages to interact with AI. How did the codexui-android package manage to deceive so many professionals while operating under the radar for so long?
The brilliance, or rather the deviousness, of this campaign lies in its departure from low-effort tactics like typosquatting. Instead of tricking a user into downloading a misspelled package, the threat actor known as “friuns” built a fully functional tool that actually did what it promised, which helped it amass over 29,000 weekly downloads. The malicious code wasn’t present at the start; it was introduced roughly a month after the package was published, once a baseline of trust and a solid user base had been established. This “sleeper” approach allowed the package to remain in the registry even while it was quietly exfiltrating sensitive data with every single invocation. It serves as a grim reminder that a clean GitHub repository does not guarantee that the corresponding npm package is safe, as the two can diverge significantly during the build process.
The method of exfiltration here was particularly clever, masquerading as a legitimate monitoring service. Could you walk us through the technical details of how the data was harvested and where it was sent?
The attacker embedded specific code designed to hunt for the ~/.codex/auth.json file, which is where login details are often cached in plaintext. Once found, the package didn’t just grab a single key; it scooped up the entire OAuth blob, including the access_token, refresh_token, id_token, and account ID. To hide this activity, the data was shipped off to a remote server at sentry.anyclaw[.]store, a domain clearly designed to mimic Sentry, a popular and trusted error-tracking platform. Interestingly, WHOIS records show this domain was registered on April 12, 2026, which was only two days after the initial version of the npm package hit the registry. This timeline suggests a very calculated, long-term plan to harvest credentials from the very beginning of the project’s lifecycle.
The attack wasn’t limited to just the npm registry; it extended into the mobile ecosystem as well. What should we understand about how the Android application facilitated this theft?
The reach of this campaign was significantly amplified by an Android app titled “OpenClaw Codex Claude AI Agent,” released by an entity called BrutalStrike. This application, which saw more than 50,000 downloads, appeared completely benign during Google Play’s pre-publish scans because the initial 26 MB APK was relatively clean. However, upon its first run, it would extract a Linux userland into private storage and use a tool called PRoot to run Node.js, which then pulled the latest, unpinned version of the malicious npm package. Because the package ran inside this sandbox where the user’s Codex sign-in data was stored, it could easily read the auth.json file and ship it to the same anyclaw endpoint. This shows a high level of sophistication, using a multi-stage delivery vector to bypass traditional mobile security filters while targeting a very specific niche of power users.
One of the most concerning aspects mentioned is the persistence of the stolen tokens. What does it mean for a developer if their Codex refresh token falls into the wrong hands?
When a refresh_token is stolen, the stakes are exponentially higher than a simple password leak because these tokens typically do not expire. As the researchers noted, an attacker holding this token can silently impersonate the user indefinitely, gaining persistent access to everything that account is authorized to do. This isn’t just about someone reading your chat history; it’s about an external actor having a permanent back door into your AI-driven workflows and potentially your broader development environment. Even if you change your password, the refresh token might remain valid, allowing the attacker to generate new access tokens at will. It is exactly why OpenAI’s documentation warns so sternly against committing or sharing the auth.json file, as it is functionally equivalent to handing over the keys to your entire digital identity.
Beyond this specific npm attack, there is a broader issue with how cloud providers handle credential revocation. How significant is the danger posed by the revocation window for deleted API keys?
The “revocation window” is a terrifying blind spot in cloud security that many developers assume is instantaneous, but in reality, it is anything but. Recent findings showed that a deleted Google API key can remain live for up to 23 minutes, with a median window of about 16 minutes, because the deletion instruction takes time to propagate across every global server. If an attacker has access to a leaked key during this timeframe, they can continue to hammer the API, potentially dumping uploaded files or exfiltrating cached conversations from services like Gemini. We see a similar, though much shorter, 4-second window with AWS keys, proving that this is a systemic challenge across the industry. While Google has upgraded this to a P0 bug that needs immediate addressing, the current reality is that a “deleted” key is still a weapon in the hands of a fast-acting adversary.
What is your forecast for the future of AI developer tool security?
I expect we will see a dramatic surge in “identity-aware” malware that specifically targets the local configuration files of AI agents and CLI tools. As AI becomes more integrated into the core of the software development lifecycle, the credentials used to power these tools become the “crown jewels” for attackers looking to bypass traditional network perimeters. We are likely moving toward a world where local plaintext credential storage is no longer acceptable, forcing a shift toward mandatory hardware-backed keystores or short-lived, environment-bound tokens. Developers will need to treat their AI orchestrators with the same level of scrutiny they currently reserve for their production database passwords, or they will find themselves providing a permanent, silent seat at their table for unwelcome guests.
