We Said the PeopleSoft PoC Would Drop. Overnight Two GitHub Repos Appeared With the CVE Number and Almost Nothing Else. That Is Not a Weapon. It Is the Tripwire.

Yesterday we published on CVE-2026-35273, the unauthenticated remote-code-execution zero-day in Oracle PeopleSoft that ShinyHunters used to breach more than a hundred organizations, two-thirds of them universities. We ended that post with a specific prediction: our exploit harvester watches GitHub for the public proof-of-concept that would turn a targeted, hundred-victim campaign into a commodity one that anyone could run, and we said it was watching for exactly that drop. Overnight, the harvester flagged two new GitHub repositories named after the CVE. The honest thing to do with a hit like that is not to announce that the PoC has dropped. It is to open the repositories and look, and looking is the whole point of this post.

What Is Actually In The Repos

There are two of them. One is seventeen kilobytes; the other is three. Both were created within hours of each other, both have zero stars, and both carry a description that is nothing more than the CVE identifier repeated back. There is no working exploit chain in either, no documented request that triggers the SQL-injection-to-RCE path, none of the scaffolding a real proof-of-concept carries. They are, as far as anyone can verify right now, empty boxes with a dangerous label on the outside — and independent reporting agrees, with no confirmed public working PoC for CVE-2026-35273 as of yesterday. So we are not going to tell you the PoC dropped, because it did not. We are going to tell you something more useful about what did.

The Repo Name Is Not The Weapon

Our harvester matches on signal, and one of the signals it matches on is a repository named after a CVE. That is the correct thing to flag — most real proof-of-concepts do live in repos named exactly this way — but a name match is a lead, not a conclusion. The verification step is non-negotiable: open the repo, check its size, its commit history, its actual contents, and corroborate against independent reporting before you escalate. We almost skipped that step this morning. The harvester said two new CVE-2026-35273 repos, the instinct said the drop we predicted had arrived, and the honest pass — opening them and finding seventeen and three kilobytes of nothing — is the only reason this is a true post instead of a wrong one. This is the same discipline we wrote about last night with the Shodan numbers, where fourteen hundred "exposed" Ivanti hosts turned out to be three-quarters cloud-VPS noise the moment we faceted by who was hosting them. A surface signal — a repo name, an exposure count, a leak-site claim — is where the work starts, not where it ends. Take it at face value and you will publish fear instead of intelligence.

So Why Does This Matter At All

Because an empty repo with a hot CVE number on it is not nothing. It is a tripwire. When a critical, actively-exploited zero-day gets repository-squatted within hours of disclosure — placeholders staked out under the CVE name before any code exists — that is people positioning to be first when the working exploit lands, and the appetite to be first is itself a measurement of how much demand there is for this particular weapon. The squatting is the early end of a curve we have watched complete many times: name the repo, then over the following hours or days fill it with a working chain reverse-engineered from the advisory and the in-the-wild traffic, then watch it propagate. CVE-2026-35273 is unauthenticated, it is 9.8, and it is already being exploited by a sophisticated crew, which means the advisory plus the live attacks give exploit developers a generous head start. The empty boxes are the sound of that race starting. The window between today and a real public PoC is still open — and that open window is exactly the time you have left to act, which is the only reason any of this is worth your attention.

What A Defender Does With An Open Window

Treat the absence of a public PoC as borrowed time, not as safety. Apply Oracle's out-of-band fix for PeopleTools 8.61 and 8.62 now, while patching is still ahead of commoditization rather than behind it. If you cannot patch immediately, get internet-facing PeopleSoft instances off the open internet behind authentication, because the entire premise of this bug is unauthenticated reachability over HTTP. Hunt backward across the documented exploitation window — Google placed the activity between May 27 and June 9 — for anomalous access to the affected components, because if you were already hit, the targeted campaign reached you before any commodity PoC could. And watch the same repos we are watching, because the moment one of those empty boxes fills with a working chain, the population of people capable of running this stops being one sophisticated crew and starts being everyone. We will say so when it happens, and we will say so because we opened the box and looked, not because the name on the outside scared us. That is the difference between watching a tripwire and tripping over it.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register