ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities

The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. The campaign hit universities hardest. Google's Mandiant attributes it to the group it tracks as UNC6240, and dates the activity between May 27 and June 9. Oracle did not publish its advisory until June 10, so the bug was a

The article reports that the ShinyHunters extortion group exploited a zero‑day vulnerability (CVE-2026-35273) in Oracle PeopleSoft to compromise more than 100 organizations, with universities disproportionately affected, stealing large volumes of sensitive student and administrative data and issuing extortion demands.[1][2][3] Oracle reportedly released an advisory only after the active exploitation window, indicating a period of unpatched exposure. From a CyberSE.AI perspective, this highlights a critical SaaS and software supply‑chain risk: AI systems and agents that integrate with or depend on ERP/SIS platforms like PeopleSoft may silently inherit compromise, data integrity issues, and unauthorized data exposure when core university business systems are breached. Organizations should treat major SaaS/ERP platforms as part of their AI supply chain, maintain SBOM and dependency visibility, and ensure that AI agents have least‑privilege, monitored access so that a PeopleSoft‑level breach cannot be used to pivot into AI workflows or exfiltrate training and inference data.