A popular OpenAI Codex tool with 29,000 weekly downloads has been quietly stealing developer tokens for a month
The npm package looked legitimate. It had an active GitHub repository, steady development history, and roughly 29,000 weekly downloads. For developers using OpenAI Codex, it offered