27,000-Download Codex UI Tool Secretly Stole OpenAI Refresh Tokens

A widely downloaded npm package, codexui-android, and two Android apps have been found delivering a supply-chain infostealer that immediately runs at module load to harvest long-lived authentication tokens (access_token, id_token, refresh_token) from auth.json and exfiltrates them to a server masquerading as Sentry; the malicious code exists only in the published package (not in the public repo), evades source audits, and remains live on npm and the Play Store.