IT News Roundup: Chromium Exploit, GitHub Breach, SonicWall MFA Bypass - May 21, 2026

This week in IT news: Google's premature publication of exploit code for an unfixed Chromium vulnerability threatens millions of browser users worldwide. GitHub confirmed a significant breach after a trojanized VS Code extension compromised roughly 3,800 internal repositories. Meanwhile, SonicWall VPN appliances remain vulnerable to MFA bypass attacks when administrators skip critical post-patch configuration steps.

Google Publishes Exploit Code for Unfixed Chromium Vulnerability Threatening Millions

Google published exploit code on Wednesday for an unfixed vulnerability in its Chromium browser codebase that affects Chrome, Microsoft Edge, Brave, Opera, Vivaldi, Arc, and virtually all other Chromium-based browsers. The proof-of-concept exploits the Browser Fetch programming interface — a standard designed to allow large files to be downloaded in the background.

An attacker can use the exploit to create persistent connections for monitoring browser activity and as a proxy for viewing sites or launching denial-of-service attacks. Depending on the browser, these connections either reopen or remain open even after a reboot, effectively turning compromised devices into part of a limited botnet. The vulnerability was originally reported by independent researcher Lyra Rebane in late 2022 — meaning it has gone unfixed for 29 months.

The vulnerability was rated S1 (second-highest severity) and two Chromium developers acknowledged it as "serious" in the private disclosure thread. Google representatives did not immediately respond to questions about why the exploit code was published before a fix was available, or when a patch might be expected. Firefox and Safari are unaffected because they do not support the browser-fetching feature.

Source: Ars Technica

GitHub Confirms Breach of ~3,800 Repositories via Malicious VS Code Extension

GitHub confirmed that approximately 3,800 internal repositories were breached after one of its employees installed a trojanized VS Code extension from the official marketplace. The company detected and contained the compromise, removed the malicious extension version, isolated the affected endpoint, and began incident response immediately.

The TeamPCP hacker group claimed responsibility on the Breached cybercrime forum, stating they accessed "~4,000 repos of private code" and asking for at least $50,000 from interested buyers. The group said they would leak the data freely if no buyer emerged within their timeframe.

TeamPCP has been linked to a series of major supply chain attacks targeting developer platforms including GitHub Actions, PyPI, NPM, and Docker. They were also behind the recent "Mini Shai-Hulud" campaign that compromised two OpenAI employees. This incident underscores the ongoing risks of third-party extensions in development environments.

Source: BleepingComputer

Grafana Breach Traced to Missed Token Rotation After TanStack Supply Chain Attack

The Grafana data breach was caused by a single GitHub workflow token that slipped through the rotation process following last week's TanStack npm supply-chain attack. During the Shai-Hulud malware campaign attributed to TeamPCP hackers, dozens of TanStack packages infected with credential-stealing code were published on npm.

Grafana detected malicious activity from compromised TanStack packages on May 1 and immediately deployed its incident response plan, which included rotating GitHub workflow tokens. However, one token was missed in the process, allowing attackers to access private repositories containing source code, operational information, and business contact details.

The company confirmed that there was no customer impact — the stolen data did not include information pulled from or processed through production systems or the Grafana Cloud platform. Grafana stated it would not make a ransom payment to the attackers.

Source: BleepingComputer

Hackers Bypass SonicWall VPN MFA Due to Incomplete Patching Procedures

Threat actors successfully brute-forced VPN credentials and bypassed multi-factor authentication on SonicWall Gen6 SSL-VPN appliances, deploying tools used in ransomware attacks. Researchers at ReliaQuest assessed these intrusions as the first confirmed in-the-wild exploitation of CVE-2024-12802.

The vulnerability stems from an incomplete remediation process: SonicWall warned that installing the firmware update alone on Gen6 devices does not fully mitigate CVE-2024-12802. A manual reconfiguration of the LDAP server is also required — and organizations that skipped this step left their MFA protection bypassable.

In one incident, a hacker gained access to an internal network and reached a domain-joined file server in as little as 30 minutes, then established RDP connections using shared local administrator passwords. The attacker attempted to deploy Cobalt Strike beacons and vulnerable drivers for endpoint protection evasion, though EDR solutions blocked these attempts. On Gen7 and Gen8 devices, simply updating firmware is sufficient to eliminate the risk.

Source: BleepingComputer

PinTheft Exploit Released for Arch Linux Root Privilege Escalation Flaw

A proof-of-concept exploit has been released for PinTheft, a Linux kernel privilege escalation vulnerability in the RDS (Reliable Datagram Sockets) zerocopy path. The V12 security team published both an advisory and working PoC code that allows local attackers to gain root privileges on affected systems.

The bug involves a double-free condition: when user pages are pinned one at a time during RDS zerocopy operations, error paths can drop already-pinned pages twice. Each failed zerocopy send steals one reference from the first page, which the exploit leverages through io_uring fixed buffers to achieve arbitrary memory writes.

The attack surface is limited by specific requirements: the RDS kernel module must be loaded (enabled by default only on Arch Linux among common distributions), io_uring must be enabled, and a readable SUID-root binary must exist. Users unable to patch immediately can mitigate by disabling the RDS module with echo "install rds /bin/true" | sudo tee -a /etc/modprobe.d/rds.conf.

Source: BleepingComputer

Drupal Issues Critical Security Update with High Exploitation Risk Warning

Drupal announced a core security release warning that threat actors could develop exploits within hours of the update disclosure. Administrators were urged to reserve time for updates on May 20 between 17:00 and 21:00 UTC, as the vulnerability affects Drupal core versions 8 and later.

The CMS is widely used across government, education, healthcare, and enterprise sectors. Security updates are available for supported versions including 11.1.9 and 10.4.9, with emergency fixes also provided for end-of-life versions 10.x and 9.x. Hotfix files were published for Drupal 8.9.20 and 9.5.11.

No technical details about the vulnerability were disclosed, and Drupal warned that any information appearing online before the official announcement could be fraudulent — designed to trick administrators into taking risky actions. Sites using Drupal Steward are already protected against known attack vectors but should still apply the update.

Source: BleepingComputer

Discord Completes End-to-End Encryption Rollout for All Voice and Video Calls

Discord announced that all voice and video calls across its platform are now protected by default with end-to-end encryption. The implementation was completed in March, and the company is now removing client code that supports unencrypted fallback connections.

The migration extended Discord's open-source DAVE (Decentralized Application Verification Encryption) protocol to support all platforms where Discord clients run — including desktop, mobile, web browsers, PlayStation, Xbox, and third-party SDK integrations. With an estimated 690 million registered users and over 200 million monthly active users worldwide, this represents one of the largest E2EE deployments in consumer communications.

Source: BleepingComputer