A sophisticated cybercriminal group known as ShinyHunters has launched a targeted attack campaign against educational institutions, exploiting a previously unknown vulnerability in Oracle's PeopleSoft enterprise software. The attackers leveraged this zero-day flaw (CVE-2026-35273) to infiltrate university systems, exfiltrate sensitive data, and subsequently attempt extortion against the affected organizations. According to security researchers at Google's Mandiant, who track this threat actor as UNC6240, the attacks occurred during a two-week period from late May to early June, leaving universities particularly vulnerable as Oracle had not yet released a security advisory or patch.

The PeopleSoft platform, widely used by universities for human resources, finance, and student administration functions, became an unexpected gateway for attackers. ShinyHunters exploited this zero-day vulnerability to gain unauthorized access to enterprise systems containing vast amounts of personal and institutional data. Following the breach, the threat actors followed their typical extortion playbook, stealing sensitive information and then demanding payment to prevent its public release. The timing of these attacks was especially concerning, as they occurred before Oracle published its security advisory on June 10,