THE article reports on an active cyber extortion campaign by the threat group ShinyHunters (UNC6240), targeting Oracle PeopleSoft systems through the exploitation of a critical vulnerability (CVE-2026-35273) identified in the Environment Management component. The campaign saw exploitation from May 27 to June 9, 2026, before Oracle released an advisory. Mandiant notified over 100 organizations at risk, primarily in the higher education sector, about the activity.
Attackers staged compromised infrastructure using fake cloud endpoints to run commands and deploy lateral movement scripts, which facilitated data leaks published on the ShinyHunters Data Leak Site. Key recommendations for organizations include restricting access to vulnerable components, performing access log analysis, monitoring network telemetry, and conducting thorough audits for signs of compromise. The article concludes with a list of indicators of compromise (IOCs) to aid in threat detection.