Cybersecurity teams from Google and Alphabet’s Mandiant have uncovered an active campaign by the hacking group ShinyHunters exploiting a zero-day vulnerability in Oracle’s PeopleSoft software. The attackers primarily targeted the education sector, including multiple organizations in India and globally.
- ShinyHunters exploited a zero-day PeopleSoft vulnerability before patch release
- 68% of affected endpoints were educational institutions globally
- Google alerted over 100 organizations including many in India
What happened
Google’s Threat Intelligence Group and Mandiant reported that between May 27 and June 9, 2026, the hacking group ShinyHunters exploited a previously unknown zero-day vulnerability in Oracle’s PeopleSoft enterprise software. PeopleSoft is widely used for critical business operations such as human resources, finance, and supply-chain management. The hackers deployed customized MeshCentral agents, which masqueraded as legitimate cloud endpoints, to run administrative commands and gain control over vulnerable systems.
This exploitation campaign was identified following active scanning and intrusion attempts targeting over 100 organizations worldwide. The majority of these organizations were based in the United States, but a significant portion also involved entities within India’s education sector, emphasizing the broad impact of the attack. Prior to Oracle publicly disclosing the vulnerability with a security advisory on June 10, the attackers leveraged this zero-day exploit without any available patch defenses.
Why it matters
The exploitation of a zero-day vulnerability in a widely deployed enterprise software like Oracle PeopleSoft poses serious risks to organizations reliant on this platform for managing critical business functions. Because PeopleSoft supports essential processes in education institutions, the attacks jeopardized sensitive administrative and student data. The high concentration of affected endpoints within the education sector, accounting for 68% of cases, highlights systemic vulnerabilities in the sector’s cybersecurity posture.
ShinyHunters' history of targeting companies for extortion adds an additional layer of risk, as compromised data could be weaponized for ransom or data leaks. Their recent dealings with education technology providers, such as striking a data ransom deal with Canvas’s parent company Instructure, demonstrate their ongoing focus on educational institutions worldwide, including in India’s expanding edtech ecosystem.
What to watch next
Organizations using Oracle PeopleSoft, especially educational institutions in India and globally, should prioritize immediate vulnerability assessments and apply any security patches as soon as available. Monitoring for suspicious MeshCentral agent activities or other anomalies related to PeopleSoft environments will be crucial to preventing further unauthorized access or data breaches.
Given the ongoing activities of ShinyHunters and their extortion tactics targeting education, regulators and industry stakeholders may increase cybersecurity requirements and incident reporting standards. The broader impact on the education sector’s digital security infrastructure should drive improvements in threat detection capabilities and collaboration across public and private cybersecurity entities to mitigate future risks.