A major supply chain attack attributed to the TeamPCP hacking group has compromised over 320 NPM packages, with attackers gaining access to the 'atool' maintainer account that controls high-profile packages like timeago.js with 1.5 million weekly downloads. The malicious code steals credentials from over 130 file paths including AWS, Azure, and cryptocurrency wallets, harvests plaintext secrets from GitHub Actions workflows, and now includes new capabilities like executing remote Python code and dropping persistent backdoors in development tools. Security researchers tracked roughly 639 malicious package versions across data visualization and React ecosystems, with attackers using compromised NPM tokens to automatically inject malware into additional packages and exfiltrate stolen data through more than 2,200 GitHub repositories.