Cybersecurity news hit three separate fronts — and each situation reveals a different dimension of digital infrastructure failures. Google published proof-of-concept exploit code for an unfixed vulnerability in Chromium that can turn every browser running on it into part of a persistent botnet. GitHub confirmed that threat actor TeamPCP stole 3,800 internal repositories after a single employee installed a poisoned Visual Studio Code extension. And Trump Mobile — a company that just began shipping its $499 gold-coloured T1 smartphone after months of delays — is exposing customer data through a vulnerability so simple that a researcher accessed the entire pre-order database without significant effort. Three stories. All on the same Tuesday. All involving failures that were preventable.
What’s Happening & Why It Matters
Google’s Chromium Exploit: Unfixed for 29 Months
Google published working proof-of-concept exploit code for a vulnerability in Chromium‘s Browser Fetch API. That is the programming interface that allows browsers to download large files and videos in the background. The exploit works by abusing the Fetch API to open a service worker — a background process that is persistently active. Any malicious website can trigger it through JavaScript. No user interaction beyond visiting the site is required. Once triggered, the service worker creates a connection that attackers can use to monitor browser activity and proxy internet traffic. Depending on the browser, that connection either reopens after a reboot or is active continuously. In practical terms, the exploit turns affected devices into part of a limited botnet — persistently connected to an attacker’s infrastructure.
The vulnerability affects every Chromium-based browser. That includes Google Chrome, Microsoft Edge, Brave, Vivaldi, and Opera. Together, these browsers are installed on billions of devices worldwide. Chrome alone holds approximately 65% of the global browser market. The vulnerability has reportedly been present in the codebase for 29 months — and is unpatched.
Why Google Published Exploit Code for an Unfixed Flaw
Google did not respond immediately to press inquiries asking why it published exploit code for a vulnerability it has not yet fixed. That silence has generated significant commentary in the security research community. Standard responsible disclosure practice — known as coordinated disclosure — involves notifying a vendor of a vulnerability, allowing a defined window for a fix, and then publishing the details publicly. Publishing working exploit code before a fix exists departs from that framework. It gives attackers a precise roadmap for exploiting a flaw they could not previously have easily discovered.
At the same time, some security researchers argue that publishing exploit code creates pressure for faster remediation — forcing internal teams, browser vendors, and enterprise security teams to prioritise a fix that might otherwise are delayed. That argument has merit. It does not eliminate the risk that malicious actors use the published code before a patch ships. Google has not confirmed a timeline for a fix. Every Chromium-based browser user is currently running a browser that can be added to a botnet by visiting a malicious website.
GitHub Breach: One Extension, 3,800 Repositories
On the same day, GitHub confirmed a breach disclosed on 19 May 2026. Threat actor TeamPCP exfiltrated approximately 3,800 internal code repositories after one employee installed a poisoned Visual Studio Code extension. GitHub detected the compromise, isolated the affected device, removed the malicious extension, and spent the night rotating high-impact credentials and cryptographic keys.
GitHub posted a series of updates on X confirming the breach and the containment actions. “Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only,” the company stated. “The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.” The key phrase is “GitHub-internal repositories only.” The breach did not compromise customer repositories, user data, or the public-facing platform. By contrast, the 3,800 internal repositories contain GitHub‘s proprietary source code — the platform’s internal codebase that hosts more than 100 million developers globally.
TeamPCP: A Serial Supply Chain Attacker
TeamPCP is not a new threat actor. The group has been responsible for a sustained 2026 campaign targeting developer tooling. Before GitHub, the group compromised Aqua Security’s Trivy vulnerability scanner, Checkmarx’s KICS infrastructure-as-code analyser, Bitwarden CLI, TanStack, and LiteLLM. Downstream victims have included the European Commission. TeamPCP is also known to have working partnerships with extortion operators and ransomware groups, including Lapsus$ and the Vect ransomware group.
The GitHub attack followed a straightforward but effective pattern. TeamPCP identified a VS Code extension with a legitimate user base. It poisoned that extension. The compromised extension reached an employee’s workstation through normal development activity. That single workstation provided access to GitHub‘s internal systems. Developer Relations lead Mackenzie Jackson of Aikido Security described the pattern precisely. “Developer workstations are the number one target in supply chain attacks . A single VS Code extension on one employee’s machine was enough to get access to 3,800 internal GitHub repositories. TeamPCP has compromised Trivy, Checkmarx, Bitwarden CLI, TanStack, and now GitHub — all in 2026, all through developer tooling.”
The 3,800 Repositories Being Sold
TeamPCP posted on underground cybercrime forums claiming to offer the stolen dataset for sale. Their stated price: offers exceeding $50,000. The group’s post claimed access to approximately 4,000 private repositories tied directly to GitHub‘s main platform. GitHub‘s own investigation confirmed that 3,800 is “directionally consistent” with that claim. What those repositories contain — and what attackers could build with GitHub‘s internal source code — is the central question that GitHub‘s security team is working to assess. GitHub has not named the specific VS Code extension used in the attack. Separately, some researchers have speculated that the recently discovered CVE-2026-3854 remote code execution vulnerability in GitHub’s backend may also have been exploited. GitHub has not confirmed that connection.
Trump Mobile: Simple Vulnerability, Entire Customer Database
The third security story of the day is the most embarrassing — and potentially the most politically charged. Trump Mobile — the smartphone company associated with President Donald Trump — began shipping its T1 phone to customers after months of delays. On the same day, YouTubers Coffeezilla (Stephen Findeisen) and Penguinz0 published videos revealing that TrumpMobile.com is actively leaking customer data through a basic, unpatched security vulnerability.
The leaked data includes customer mailing addresses, email addresses, phone numbers, and order details. Coffeezilla confirmed his own data was exposed. “I know that because,, sadly,, I am one of those customers whose mailing address, email address — everything short of credit card number — is being leaked,” he said in his video. Coffeezilla specifically warned: “Do not order on trumpmobile.com unless you’re ready for your information to be leaked. It’s basically that bad.” Penguinz0 confirmed the same experience. Both stated they had been alerted by an independent security researcher who discovered the exposed data online.
The Researcher Who Tried to Warn Them First
The researcher who discovered the Trump Mobile vulnerability did not go directly to the press. They contacted Trump Mobile directly — multiple times. The company did not respond. The vulnerability remained unpatched. The researcher then alerted Coffeezilla and Penguinz0, who went public. Trump Mobile has not responded to press requests for comment at the time of writing.
Beyond the data exposure itself, the vulnerability reveals an additional and politically sensitive detail. The pre-order database accessible through the flaw contains order ID numbers. Those sequential identifiers suggest approximately 30,000 orders in the entire database — a figure dramatically lower than the 590,000 pre-orders at $100 each that Trump Mobile had previously claimed. That would represent a gap of over half a million claimed orders that do not appear in the actual database. Trump Mobile had not addressed the discrepancy by the time of publication.
The Common Thread: Preventable Failures
All three security stories share one characteristic. Each failure was preventable. The Chromium vulnerability has been in the codebase for 29 months — longer than many security patches take to ship. Publishing exploit code without a fix accelerates exploitation. GitHub‘s breach resulted from a single compromised endpoint — a failure mode that endpoint detection and response (EDR) tools, strict extension vetting policies, and privileged access management systems exist specifically to prevent. A researcher identified Trump Mobile’s data exposure, flagged to the company, and ignored — the most elementary class of security failure.
TF Summary: What’s Next
Google has not confirmed a timeline for patching the Chromium Fetch API vulnerability. All Chromium-based browsers are affected until a fix ships. Users cannot currently protect themselves except by understanding that any website they visit can exploit the flaw. GitHub‘s investigation into the TeamPCP breach is ongoing. The company has rotated critical credentials and says there is no evidence of impact to customer data outside internal repositories. The stolen repositories are reportedly being offered for sale. Trump Mobile‘s vulnerability is unpatched at the time of writing. The company has not responded to press or customer inquiries.
MY FORECAST: Cybersecurity news from 20 May will produce regulatory responses on two of three fronts. The Chromium Fetch API vulnerability will receive an emergency patch within 30 days — Google‘s publishing of exploit code effectively created the external pressure needed to force the internal timeline. The TeamPCP campaign will prompt Microsoft — which owns GitHub and the VS Code marketplace — to implement mandatory code signing and automated malware scanning for all VS Code extensions before they reach the marketplace. That policy change is long overdue. The GitHub breach makes it politically impossible to delay further. Trump Mobile‘s situation will produce an FTC inquiry within 60 days. The company’s silence in response to a researcher’s disclosure, combined with confirmed exposure of customer personal data, meets the threshold for a federal consumer protection investigation. Whether the Trump administration’s FTC chooses to pursue that investigation is a different question entirely.
Related Stores