Malicious npm Package Targets OpenAI Codex Users and Exposes Supply Chain Risks2. June 20264. July 2026Cybersecurity, OpenAIAttackers exploited a seemingly legitimate npm package with 27,000 weekly downloads to steal refresh tokens that grant unlimited access to accounts. Share on: