OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack

## Executive Summary Security researchers disclosed a malicious supply-chain campaign in which a functioning npm package (codexui-android) and associated Android apps silently exfiltrate OpenAI Codex authentication tokens (including non-expiring refresh_tokens) to sentry.anyclaw.store, enabling indefinite account impersonation; the package and apps have significant distribution and the domain and package/version indicators are observable.