Two npm supply chain operations in seven days: one against Red Hat toolchain packages, self-spreading and credential-harvesting before signature verification flagged them; one against OpenAI's Codex developer team, a dependency that presented as infrastructure tooling, cleared contributor trust checks, and exfiltrated authentication tokens before the registry pulled it. The Red Hat worm propagated laterally. The Codex tokens were gone. Both used MITRE T1195.002, supply chain compromise at the software dependency layer, and both worked against organisations whose security functions are not decorative.

OpenAI's documentation for Codex describes the product as a tool that helps developers write better code. The npm package that extracted Codex developer tokens this week was also written to run against a developer. The difference is whose credentials it targeted. For APAC financial institutions running AI-assisted development toolchains against production environments, the relevant framework is the MAS Technology Risk Management Guidelines (2021 revision), which requires a documented inventory and approval process for third-party software dependencies before they reach production. An AI coding assistant generates and installs npm packages at a velocity no manual review gate processes at current staffing ratios, and the registry does not distinguish whether a given package was chosen by a human or suggested by a model. The npm Security Advisories for both incidents are published on the registry's advisory feed as of June 2, 2026; any institution that learned about either event from a news summary rather than from a subscribed advisory feed has a detective control gap the 2021 MAS TRM revision already required them to close.