Twelve Hours Ago We Said the Empty PeopleSoft Repos Were a Tripwire, Not a Weapon. Tonight One Filled With a 7KB Python Exploit. CVE-2026-35273 Is Becoming Commodity.

This morning we published a post making a narrow, careful argument. The PeopleSoft zero-day CVE-2026-35273 — the unauthenticated remote code execution that ShinyHunters used to breach more than a hundred organizations, two-thirds of them universities — had attracted two new GitHub repositories named after the CVE. We opened them, found seventeen and three kilobytes of nothing, and refused to call it a public proof-of-concept, because it was not one. What we called it instead was a tripwire: empty repository-squatting under a hot CVE name is the sound of people racing to be first when the working exploit lands, and we said the window between the empty box and a real one was the time defenders had left. We ended the post with a commitment — that we would say so when one of those boxes filled, because we would keep opening them and looking. It has been about twelve hours. We looked again. One filled.

What Is In The Box Now

The repository 0xBlackash/CVE-2026-35273, which earlier today was a three-kilobyte placeholder with nothing in it but the CVE number, now contains a seven-kilobyte Python file named CVE-2026-35273.py and a full README. The README is not a stub. It is a professionally formatted writeup — severity badges, a CVSS 9.8 rating, the CWE-306 classification, the correct vendor and product, and a description that correctly names the Updates Environment Management component as the vulnerable surface and unauthenticated network-reachable RCE as the impact. There is an AI-generated cover image dated this morning. Whatever else is true about it, this is no longer an empty box with a scary label. It is a packaged exploit artifact with documentation, sitting in public, free to clone. The thing we said was borrowed time this morning is being spent tonight.

We Are Going To Be Precise About What This Is And Isn't

The discipline that made this morning's post correct is the same discipline that has to govern tonight's, so here is the honest calibration. This is one repository, it has a single star, and a seven-kilobyte script is a compact exploit, not a battle-tested mass-exploitation framework with a target list and evasion built in. We have not validated that it fires reliably against a live PeopleSoft instance, and we are not going to pretend we have. What we can say with certainty is the thing that actually matters for your weekend: the curve we described this morning is no longer hypothetical. The empty box is filling. The transition from "people are squatting the CVE name" to "a documented Python exploit is published and clonable" is the exact transition we told you to watch for, and it happened inside a single day. A working public proof-of-concept does not arrive as a finished product; it arrives as a seven-kilobyte script in a one-star repo that gets forked, refined, and folded into someone's scanner over the following days. That is what early commoditization looks like from the inside, and you are looking at it.

Why The Same-Day Turn Is The Whole Point

We are not running this as a victory lap, we are running it because the speed is the lesson. A 9.8 unauthenticated RCE that a sophisticated extortion crew was already exploiting in the wild gives exploit developers an enormous head start — they have the advisory, they have the in-the-wild traffic to study, and increasingly they have AI assistance to turn that into code. The gap between disclosure and a public PoC used to be measured in weeks, and we have spent this week documenting it collapsing toward hours: Check Point, Cisco SD-WAN, and Langflow all went advisory-to-public-exploit in days, and now PeopleSoft went empty-box-to-published-script in one. The reason we watch the empty repositories at all is that they are the earliest possible signal — earlier than the working exploit, earlier than the scanner integration, earlier than the mass-exploitation wave. The tripwire is worth setting precisely because it gives you the most lead time any signal can. This morning it gave you twelve hours. If your PeopleSoft instances are still reachable and unpatched on Monday, that lead time was the whole gift, and it will have been wasted.

What A Defender Does This Weekend

Treat the window as closing, because it is. Apply Oracle's out-of-band fix for PeopleTools 8.61 and 8.62 now — this weekend, not after the change-management meeting on Tuesday — because the published script lowers the bar from "a capable crew with a private exploit" to "anyone who can clone a repository and run python." If you cannot patch immediately, get internet-facing PeopleSoft instances off the open internet behind authentication, since unauthenticated network reachability over HTTP is the entire precondition of the bug. Hunt backward across Google's documented exploitation window — May 27 to June 9 — for the targeted ShinyHunters phase, because if you were hit, it happened before any public PoC and your logs are the only place that shows it. And internalize the cadence for the next one, because there will be a next one: the empty box is the alarm, the filling box is the clock running out, and the gap between them is shrinking. We opened the box this morning and told you it was empty. We opened it again tonight and it is not. That is the entire warning, delivered as early as anyone could deliver it — and the next move is yours.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register