It's possibly detrimental to the company and to the customers. Essentially, he's a developer, and with that comes certain access to various internal code testing and QA environments, and if it's a smaller company maybe even production (though most devs don't get that access). The company hired him, and trusted him, and he most likely signed a network usage policy stating that HE would be the only person to use his login credentials and RSA token, and that sharing them with anyone else is considered a violation of that policy. They hired him, and background checked him, before deciding to trust him with that access and him alone. Simply giving that access even to another co-worker sitting next to you is a huge no no in the IT world when you have that kind of power on the network, giving it to a third party he's never met in China is like the worst case scenario.
He essentially took that trust the company gave to him, and then made a personal decision that he could trust some firm in China to not hack their network, not put backdoors in their production code, and not do anything malicious. He didn't really damage any co-workers most likely, but it's possible his manager would also get fired over something like this for being unaware of it. Mostly the threat is to the company and the customer, depending on industry this could be not that big of a deal or a big deal. Completely depends on what type of data his applications were handling.