Sponsored by
☀️ Good afternoon. Here's everything that happened in cybersecurity yesterday — in under 5 minutes.
Iran sent missile threats to US Marines via WhatsApp and published 2,379 of their names, ShinyHunters claimed 9.4 million Amtrak records through Salesforce, a 15-year-old in France hacked the national ID agency and listed 11.7 million citizens' data for sale, the FBI warned that cyber-enabled cargo theft hit $725 million in 2025, and PyTorch Lightning was backdoored with credential-stealing malware that executes the moment you import the package.
🔥 Top Stories
01 — Iran-Linked Handala Leaks 2,379 US Marines' Data and Sends WhatsApp Missile Threats
Nation-State Cyber Threats
Iran-linked Handala published the names and phone numbers of 2,379 US Marines stationed in the Persian Gulf and sent direct WhatsApp messages warning of targeting by Shahed drones and Kheibar missiles. The operation, attributed by the DOJ to Iran's Ministry of Intelligence and Security, unfolded in two phases: first, threatening messages to service members' personal phones from a spoofed Bahraini number — then a Telegram post publishing the data as proof of "intelligence superiority."
The data may have come from open-source directories and data brokers rather than a genuine military breach. That question is operationally irrelevant. The messages were real, received by real service members, with real psychological impact. Handala has already claimed a Stryker wiper attack, the breach of FBI Director Kash Patel's personal Gmail, and the doxxing of 28 Lockheed Martin engineers in Israel in 2026 alone.
02 — ShinyHunters Claims 9.4M Amtrak Records via Salesforce — 2.1M Confirmed on Have I Been Pwned
Data Breaches
ShinyHunters claimed 9.4 million Amtrak records obtained through Salesforce — the same social engineering chain used against ADT, Udemy, Medtronic, Vimeo, and Cisco this year. A confirmed dataset of 2.1 million unique accounts appeared on Have I Been Pwned. Amtrak has not commented. The most dangerous element isn't email addresses — it's customer support interaction records that document travel patterns and routes, enabling hyper-targeted phishing that references your actual journeys.
The Amtrak breach is the latest in a coordinated 2026 campaign. ShinyHunters is not breaching companies individually — they breached the shared Salesforce vendor and are pivoting to dozens of clients simultaneously. More disclosures are coming.
03 — France Arrests 15-Year-Old "breach3d" for Hacking National ID Agency — 11.7M Accounts Exposed
Data Breaches
The Paris prosecutor's office announced that a 15-year-old operating as "breach3d" was arrested on April 25 after breaching France's ANTS — the national agency managing passports, ID cards, driver's licenses, and vehicle registrations. ANTS confirmed 11.7 million accounts were affected. The hacker listed between 12 and 18 million lines of data on criminal forums on April 16, taunting ANTS online before investigators traced and arrested them nine days later.
Charges carry up to seven years in prison and a €300,000 fine. France has now detained three cybercrime suspects aged 15 to 21 in separate cases within the first four months of 2026. The ANTS agency also manages France's age-verification app intended to prevent children under 15 from accessing social media — making the irony of a 15-year-old breaching it particularly sharp.
04 — FBI Warns Cyber-Enabled Cargo Theft Surged to $725M in 2025 — A 60% Jump
Policy & Government
The FBI issued a public service announcement warning that cyber-enabled cargo theft hit $725 million in the US and Canada in 2025 — a 60% surge over 2024. Threat actors breach freight broker and carrier systems via spoofed emails and fake URLs, post fraudulent load board listings impersonating legitimate companies, and redirect high-value shipments before they arrive. Confirmed incidents rose 18%, and the average value per theft jumped 36% to $273,990 — reflecting deliberate targeting of high-value loads. Named group Diesel Vortex used dozens of spoofed domains to conduct the scheme at scale.
The attack is Business Email Compromise applied to physical goods. The difference: instead of redirecting a wire transfer, attackers redirect a truck — and there is no wire recall equivalent for a diverted shipment of server hardware.
05 — PyTorch Lightning Compromised — Malware Steals Credentials Automatically on Import
Supply Chain Attack
Versions 2.6.2 and 2.6.3 of PyTorch Lightning were backdoored in a supply chain attack — executing credential-stealing malware automatically the moment the package is imported. No user action required beyond installation. Socket flagged both versions 18 minutes after publication. The malware targets SSH keys, cloud credentials (AWS/GCP/Azure), GitHub tokens, npm tokens, cryptocurrency wallets, and environment variables. A worm propagation capability means if the malware finds npm publish tokens, it injects a dropper into every package that token can publish to and republishes — spreading to all downstream users.
PyPI has quarantined the project. Version 2.6.1 is the last clean baseline. Any environment that imported 2.6.2 or 2.6.3 should be treated as fully compromised — rotate all credentials immediately.
📊 By The Numbers
2,379 — US Marines whose names and phone numbers were published by Iran-linked Handala
9.4 million — Amtrak records claimed by ShinyHunters via Salesforce; 2.1M independently confirmed on HIBP
11.7 million — ANTS accounts exposed when a 15-year-old breached France's national ID agency
$725 million — Estimated US and Canada cargo theft losses in 2025 — up 60% from 2024
18 minutes — Time it took Socket's AI scanner to flag the compromised PyTorch Lightning versions after publication
⚡ The Signal
None of yesterday's five biggest stories required technical sophistication.
Handala assembled Marine data from open directories and data broker records — no classified breach required. ShinyHunters called Salesforce employees, harvested credentials, and walked in through a valid session. The cargo theft gangs sent emails. The 15-year-old in France had no great operational security — investigators found them in nine days. Even the PyTorch Lightning attack succeeded through one compromised maintainer account, not a novel exploit.
The pattern is consistent: most significant incidents in 2026 are succeeding through the oldest techniques in the playbook — impersonation, credential theft, and the assumption of trust. Defenders who focus on detecting novel malware while leaving helpdesks unauthenticated, credentials unrotated, and package pipelines unmonitored are optimizing for the wrong threat.
When did your organization last test whether a caller claiming to be IT could reset MFA without verification?
🔍 What You May Have Missed
Three arrested in Ukraine for hijacking 610,000 Roblox accounts via stolen session cookies — Ukrainian authorities arrested three suspects who used stolen browser session cookies to hijack and sell access to 610,000 Roblox accounts, targeting young users whose accounts held in-game currency and rare items worth thousands of dollars. The case is a clean illustration of how session cookie theft has made traditional password security irrelevant.
CISA warns of data theft flaw in NSA-built OT network tool — no patch will be released — CVE-2026-6807 affects GrassMarlin, an NSA-developed tool used to map industrial control networks. The flaw allows data theft — and no patch is coming. Organizations using GrassMarlin for OT network visibility should isolate it and treat its output as potentially compromised.
cPanel and WHM emergency patch fixes critical authentication bypass exploited in the wild — The vulnerability allowed unauthenticated attackers to access any cPanel account — affecting millions of websites globally on shared hosting. Update to cPanel 124.0.12 or later immediately if your environment runs cPanel or WHM.
📅 What to Watch
BlueNoroff Calendly/Zoom deepfake campaign — active across 20+ countries; watch for SEAL domain blocking updates and any law enforcement action against the Petrosky Cloud infrastructure.
WordPress Essential Plugin cleanup — forced update stopped new infections but didn't clean wp-config.php; watch for Wordfence and Sucuri publishing automated remediation tools.
CVE-2026-32202 May 12 federal deadline — federal agencies have until May 12; private sector should treat this as their own deadline given confirmed active exploitation.
ClickUp API key response — 15 months of silence after disclosure; watch for a public statement or remediation confirmation following this coverage.
Stay sharp. Stay ahead.
Till next time,
The CyberSignal Team
Our Sponsors
⭐️ The AI Report
5 minutes. Every AI story that actually matters.
The AI Report distills the day's most important AI news into one free 5-minute read. No jargon, no filler — just what 400,000+ business leaders need to know before their first meeting.
⭐️ hCaptcha
Catch Bad Actors. Let Good Users Flow.
Online traffic isn’t just “human vs bot” anymore.
It’s AI agents, good bots, bad bots… all blending in and getting harder to detect.
That’s where hCaptcha stands out.
Traditional security methods are falling behind. hCaptcha exposes hidden threats with adaptive AI models and intent analysis, providing instant, private verification.
Don’t just take it from us, hear from one of our customers:
“Compared to last year [when using competitor], we had a 96% reduction in bot throughput.” - Top 10 Gaming Company
Virtually all companies that book a demo with hCaptcha decide to move forward.