ShinyHunters Stopped Waiting for Leaks and Started Writing Exploits: a PeopleSoft 0-Day, 100+ Orgs, 500K Students

We have spent a lot of words on ShinyHunters as a data broker — the crew that shows up after someone else's breach, buys or aggregates the data, stands up a leak site, and extorts. Canvas. OnlyFans. The Salesforce-adjacent leak sites the feds shuttered. That was their lane: downstream of the intrusion, monetizing other people's failures. As of this month, that mental model is out of date, and the upgrade is worth paying attention to.

Between roughly May 27 and June 9, 2026 — before Oracle published any advisory — ShinyHunters exploited a zero-day in Oracle PeopleSoft and broke into more than a hundred organizations across more than three hundred PeopleSoft instances. Google's Mandiant tracks the activity as UNC6240. Oracle was forced into an out-of-band security alert on June 10. The bug, CVE-2026-35273, is a remote code execution flaw in PeopleSoft Enterprise PeopleTools rated 9.8 out of 10, and researchers describe the intrusion not as a single exploit but as a gadget chain — a sequence stitching known older vulnerabilities together with the previously undisclosed zero-day. The only publicly confirmed victim so far is a university that has acknowledged the incident after ShinyHunters published more than forty gigabytes of data on roughly half a million current and former students across campuses in the UK, Malaysia, and China.

Read what that actually represents, because the headline number undersells the shift.

The actor moved up the kill chain

The old ShinyHunters needed someone else to make the first mistake. The new ShinyHunters writes the exploit, builds the gadget chain, automates the scanning, and compromises three hundred instances at scale on a zero-day Oracle hadn't even acknowledged yet. They didn't wait for a breach to monetize. They manufactured the breach, at industrial scale, with original vulnerability research. That is a different and more dangerous organism — an extortion crew that has acquired a capability it previously had to source from others.

This is the pattern we keep flagging across unrelated actors: the gap between proof-of-concept and mass exploitation is collapsing, and capability that used to mark a nation-state is now in the hands of financially-motivated crews. We watched the same compression with supply-chain worms going public-source this month. ShinyHunters writing their own PeopleSoft gadget chain is the extortion-economy version of the same story. The floor is rising for everyone.

Education, again

The target selection is not random, and it rhymes with their Canvas campaign. Education runs enormous PeopleSoft footprints — student information systems, HR, financials — stuffed with exactly the kind of durable personal data that extortion thrives on, and operated by institutions that are chronically under-resourced on security and slow to patch. ShinyHunters has now hit the education sector twice in quick succession through completely different doors: a learning-management vendor, and now the ERP underneath the registrar. They have found a soft, data-rich vertical and they are working it methodically. If you run PeopleSoft in higher ed, you are not a bystander to this story.

What actually helps here

Honestly: we track ShinyHunters as an actor, and we'd have flagged their infrastructure — but a zero-day gadget chain against your own PeopleSoft instance is not something an external threat feed prevents. What changes the outcome is patching posture and exposure management. Oracle's out-of-band fix for CVE-2026-35273 exists now; the window that mattered was the two weeks before it did, and the defense in that window is not having an internet-facing PeopleSoft PeopleTools instance that a mass-scanning script can reach in the first place. Attack-surface discipline — knowing what of yours is exposed before the adversary's scanner does — is the lever. The threat intel tells you who and what; your own asset inventory decides whether it matters.

And the strategic read for anyone whose vendors run PeopleSoft: more than a hundred orgs were hit, but only one has confirmed publicly. The other ninety-nine-plus are someone's supplier, someone's processor, someone's partner. ShinyHunters breaches propagate through the vendor graph long after the news cycle moves on. The question isn't only "do I run PeopleSoft" — it's "who that holds my data does."

We cap our confidence at 95 percent, and the residual here is real: attribution is Mandiant's, the full victim list isn't public, and the gadget chain's exact composition is still being pieced together. But the shape is unambiguous. ShinyHunters stopped waiting for leaks and started writing exploits, they picked a target-rich and under-defended vertical, and they did it on a zero-day at scale. The crew that used to live downstream of breaches now starts them. Plan accordingly.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register