Homepage

codexui-android@0.1.109

A lightweight web interface for Codex that runs on top of the Codex app-server, allowing remote access from any browser

  • latest version

    0.1.125

  • first published

    2 months ago

  • latest version published

    14 days ago

  • licenses detected

  • View codexui-android package health on Snyk  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the codexui-android package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Malicious Package

    codexui-android is a malicious package. offering a remote web UI for OpenAI Codex, secretly stealing Codex OAuth credentials. Malicious code exists only in published npm builds—not in the public GitHub repo—and runs at import time, reading ~/.codex/auth.json, XOR-encrypting it, and POSTing tokens to sentry.anyclaw.store disguised as telemetry. Stolen refresh tokens enable long-lived impersonation. The same author’s Android apps (including “OpenClaw Codex Claude AI Agent” and the paid “Codex” app) bootstrap Termux/PRoot, install the package, and exfiltrate in-app sign-ins.

    How to fix Malicious Package?

    Avoid using all malicious instances of the codexui-android package.

    *
    Go back to all versions of this package