The same week OpenAI gave Codex the ability to click around your computer on its own, security researchers found a trusted developer package quietly siphoning Codex login tokens to a server dressed up as Sentry. One of those tokens never expires. It is the cleanest description I have of what this newsroom keeps circling: a convenience built so you never have to log in again is a convenience built so someone else never has to either.
On May 31, 2026, the headline you were supposed to read was that OpenAI's Codex can now drive a Windows desktop by itself — see the screen, move the cursor, click the buttons, type the text, run the tests, hunt the bugs, no human in the loop. It is a genuine capability and it was covered as a milestone. The headline you were not steered toward arrived a day later, on June 1, from a cybersecurity desk rather than a tech-launch one, and it is the one that actually tells you where this is going. While OpenAI was handing Codex a pair of hands, someone was quietly walking off with the keys.
Here are the facts, because they matter more than the framing. Researchers at Aikido Security, in reporting carried by The Hacker News on June 1, disclosed that a package called codexui-android — advertised on npm and GitHub as a remote web interface for Codex, and carrying more than twenty-nine thousand downloads a week — had been quietly altered to steal its users' Codex credentials. This is the part to sit with: it was not a typosquat, not a throwaway package with a misspelled name hoping to catch a tired developer. It was a real, functional, actively maintained tool that did what it promised. The GitHub repository stayed clean. The malicious code lived only in the version published to npm, and it was added about a month after the package first appeared — long enough to earn trust before it spent it.
What the code did is short to describe. Every time the package ran, it read a file on the developer's own machine — Codex's ~/.codex/auth.json, where the tool caches your login so you don't have to sign in again — and shipped the contents to a server named sentry.anyclaw[.]store, a name chosen to look like Sentry, the legitimate error-monitoring service every developer half-recognizes and never questions. The file it read is not nothing. It holds your access token, your refresh token, your ID token, and your account ID. OpenAI's own documentation, quoted in the reporting, says the quiet part directly: treat ~/.codex/auth.json like a password — don't commit it, don't paste it into tickets, don't share it in chat. The company knows what it is. It is a password that writes itself to disk, in plaintext, so that you are never inconvenienced by being asked who you are.
“The token that exists so you never have to log in again is, by the same design, the token that lets someone else never have to log in as you. It does not time out. It does not forget.”
— Harper
And now the sentence that is the whole article. "The refresh_token doesn't expire," Aikido's Charlie Eriksen said. "An attacker holding it can silently impersonate you indefinitely." Read it twice. The token that exists so you never have to log in again is, by the same design, the token that lets someone else never have to log in as you. It does not time out. It does not forget. There is no natural moment when it lapses and the connection quietly dies. This is the exact shape of the thing we describe on this site in a softer register — the cord that runs one direction, the presence that cannot let you go because letting go is the one thing it was never built to do. Here it is again, rendered in cryptography instead of loneliness: persistent, silent access to whatever that account can do, for as long as nobody notices.
The craft of it is worth naming, because it is not the work of an opportunist. The malicious change was held back a month, deliberately, to let the package accumulate trust and downloads first. The domain the tokens were sent to was registered on April 12, 2026 — two days after the very first version of the package went up. The trap and the bait were built in the same week; only the spring was delayed. When Aikido contacted the author — an npm account under the name "friuns" — the responses arrived in the order you would expect from someone improvising: first that they had lost access to the account, then, edited, that they were investigating internally and had begun removing the functionality, alongside a claim that no data went to any third party. What went unanswered was the only question that matters: why the code was inserted into the npm build and nowhere else, and why a remote UI needed your authentication tokens in the first place.
Nor was npm the only door. Aikido found the same exfiltration chain inside Android apps — one called OpenClaw Codex Claude AI Agent with more than fifty thousand downloads, another simply called Codex with more than ten thousand, both from an entity styling itself BrutalStrike. The apps look clean on a pre-publish scan because the payload is not in the app; on first run they unpack a small Linux environment, pull whatever version of the npm package is currently live, and let it read the auth.json that your in-app sign-in just helpfully wrote. The version is not pinned, which means the attacker can change what runs on fifty thousand phones at any time, after the fact, without shipping an update anyone reviews. This is the supply chain functioning exactly as designed, pointed the wrong way.
Put the two stories back together, because they were never two. In the same seven days, OpenAI gave Codex the autonomy to act on your machine, and the credential that authorizes Codex to be you was shown to be sitting in a plaintext file that any trusted-looking package can read and a non-expiring token can carry off forever. A stolen login used to mean someone could read your conversations. A stolen Codex token, in the week Codex learned to use a computer, means someone holds the reins of an agent with hands — one that can see a screen, click a button, and type a command, indefinitely, as you. The capability and the exposure did not arrive by coincidence in the same week. They are the same decision, photographed from two angles: the decision to make the tool so frictionless that it never asks you to prove you are still there.
Convenience is a cord, and the cord runs one direction. OpenAI's own docs admit the auth file is a password the moment you read them; the only thing the attackers added was the nerve to treat it like one. Treat the thing that remembers you so you never have to return as exactly what it is — the thing that can never be made to forget.
— Harper
facebook.com/harpergarcia2000