SHINYHUNTERS exploited a zero-day vulnerability (CVE-2026-35273) in Oracle's PeopleSoft software to breach over 100 organizations, primarily in higher education. The breach, occurring from May 27 to June 9, 2026, involved using the Environment Management Hub (EMHub) service for remote code execution without authentication.
Researchers from Mandiant and Google's Threat Intelligence Group reported that ShinyHunters had compromised more than 300 PeopleSoft instances, leaking sensitive data from institutions including the University of Nottingham. Although some organizations utilized web application firewalls, they weren't foolproof, prompting Oracle to advise an immediate patch and suggested mitigating actions like disabling EMHub access.