MANDIANT and Google Threat Intelligence Group (GTIG) reported an active compromise and extortion campaign by UNC6240 (ShinyHunters) targeting Oracle PeopleSoft applications between May 27 and June 9, 2026. The exploitation involved CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) specifically affecting the Environment Management component, enabling zero-day attacks. GTIG notified over 100 global organizations, primarily in the U.S. higher education sector, of potential vulnerabilities.
The attackers used customized agents on staging servers to run commands and deploy malicious scripts, leading to data leaks published on the ShinyHunters Data Leak Site on June 9, 2026. Immediate defensive actions for Oracle PeopleSoft users are recommended.