Malware4 min read
OpenAI Codex Users Hit by Token-Stealing npm Package
Malicious codexui-android npm package stole OpenAI refresh tokens from 29K developers. Mobile apps with 60K installs also compromised—revoke credentials now.
James RiveraJun 3, 2026