ShinyHunters Leaks 9.4GB of 7-Eleven Customer Data
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. May 26, 2026
cybr.cx | Daily Digest — May 26, 2026
Critical Vulnerabilities
No CVE data was available for today's digest. This may reflect a quiet patch cycle or a data pipeline gap — either way, treat it as a reminder to review your own vuln backlog rather than a signal to stand down. Check NVD and your vendor advisories directly.
Headline News
ShinyHunters Dumps 9.4GB of 7-Eleven Data After Extortion Refusal
ShinyHunters — the threat group behind some of the most damaging data extortion campaigns of the past several years — has followed through on a ransom threat, publicly releasing a 9.4GB database allegedly pulled from 7-Eleven franchisee systems. The dump reportedly exposes over 185,000 accounts, and the release appears to have been triggered by 7-Eleven's refusal to pay. The incident is a textbook example of what happens when an organisation calls a ransomware group's bluff without first validating the scope of the exposure or having a containment plan ready to execute. For practitioners, the franchisee angle is worth close attention: third-party and franchise operator environments are notoriously difficult to bring under a consistent security baseline, and attackers know it. This breach is a useful forcing function for any organisation running distributed, semi-autonomous business units to revisit how those environments are monitored and what data they hold.
Anthropic Accidentally Shipped Claude Code's Entire Source to npm
Back on March 31, 2026, Anthropic made a significant operational security error: the complete source code of Claude Code — some 512,000 lines of TypeScript across nearly 1,906 files — was pushed to the public npm registry. The package included 44 hidden feature flags and references to an unreleased model internally codenamed "Mythos," neither of which Anthropic intended to disclose. The incident is only now receiving wider scrutiny, and it raises uncomfortable questions about the maturity of CI/CD and secrets management practices inside even well-resourced AI labs. For security teams, the practical concern is less about Anthropic's proprietary roadmap and more about what this pattern looks like at scale: as AI tooling proliferates across development workflows, accidental publication of internal logic, feature flags, and model references to public package registries becomes a systemic supply chain risk. If your organisation consumes AI SDKs or developer tooling from third parties, this is a good week to audit what you're actually pulling in.
Schrödinger's Feed
A Quantum Sensor That Can Count Single Photons — and Maybe Hunt Dark Matter
Researchers have developed a new quantum sensor capable of detecting individual photons with high fidelity — a capability that pushes the boundary of what quantum hardware can observe at the smallest physical scales. While the immediate application is framed around fundamental physics and dark matter detection, the underlying sensor technology has direct implications for quantum key distribution (QKD) systems, where single-photon detection is the cornerstone of secure communication. Improvements here tighten the gap between theoretical QKD security proofs and real-world deployable systems. Practitioners building long-horizon cryptographic strategies — particularly those evaluating hybrid classical/quantum secure channels — should watch this space, as hardware fidelity improvements tend to accelerate timelines faster than policy frameworks expect.
/dev/random
California Discovers That Operating Systems Don't Actually Card People
California's age-verification law has hit an unexpected philosophical obstacle: Linux. The original legislation, in its apparent enthusiasm, was written broadly enough to require operating systems to collect users' ages — which, in practice, would have meant Linux distributions needed to implement age-gating mechanisms. The backlash was swift enough that the same lawmaker who authored the original bill has now proposed an amendment to exempt Linux explicitly. It's a rare legislative self-correction, and a reminder that when laws are drafted without technical input, someone always ends up explaining to a committee why apt-get install doesn't need a birthday.