Any organization building JavaScript applications that depend on the @antv visualization libraries, echarts-for-react, or any of the 323 affected packages may have had cloud credentials, CI/CD pipeline tokens, and payment processor keys stolen from their build systems — giving attackers persistent access to AWS, Azure, Google Cloud, and Stripe accounts without triggering standard login alerts. A successful credential theft could enable attackers to exfiltrate customer data, disrupt cloud-hosted services, or conduct fraudulent transactions, creating direct financial loss, regulatory exposure under GDPR and PCI-DSS where payment and personal data are involved, and reputational damage if a breach is publicly disclosed. The open-source release of the attack toolkit on a criminal forum means the threat window is extended: organizations that were not hit by TeamPCP directly face ongoing exposure from copycat actors using the same methods.
You Are Affected If
Your JavaScript projects directly depend on any @antv package (@antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin, @antv/data-set) or echarts-for-react, timeago.js, size-sensor, or canvas-nest.js
Your CI/CD pipelines (GitHub Actions, or self-hosted runners) run npm install without dependency pinning or hash verification, allowing resolution to malicious versions
Your build environments have access to cloud provider credentials (AWS, GCP, Azure), secrets management systems (HashiCorp Vault), container registry credentials, or payment API keys (Stripe)
You rely on SLSA provenance attestations as a primary or sole supply chain integrity control — forged attestations in this campaign defeat that control
You consume any of the 323 affected packages transitively through a third-party dependency without direct visibility into your full dependency tree
Board Talking Points
Attackers poisoned widely used developer tools — software our engineering teams may already have installed — and stole cloud and payment credentials silently during normal software builds.
Security teams should audit all JavaScript build pipelines for the affected packages within 24 hours and immediately rotate any cloud or payment credentials accessible from those build environments.
Organizations that take no action remain exposed not only to this attacker but to any copycat using the now-public attack code, extending the risk window indefinitely.
PCI-DSS — Stripe API keys are explicitly listed as a credential type harvested by the stealer; any build environment with Stripe credentials in scope may constitute a cardholder data environment breach requiring incident notification and forensic review.
GDPR — Cloud provider credentials (AWS, GCP, Azure) stolen from build environments may have enabled unauthorized access to systems processing EU personal data, triggering breach assessment and potential 72-hour notification obligations under Article 33.
