Hackers Attacked Universities for Two Weeks Before Oracle Knew
ShinyHunters exploited an Oracle PeopleSoft zero-day for 13 days before the company even knew it existed. Meanwhile: a ransomware group that spreads like a worm, GitHub's plan to fix npm's biggest security problem, and a flaw that bypasses Windows BitLocker.
Thursday, June 11, 2026 ยท 5-minute read
๐ World Intel
GitHub announced that npm version 12 โ the package manager that millions of JavaScript developers use to download and manage code libraries โ will disable install-time lifecycle scripts by default. GitHub's own security team described these scripts as "the single largest code-execution surface in npm." When you install a package from npm, it can run arbitrary code on your machine as part of installation โ most developers don't realize this happens. Malicious packages routinely use this to deploy malware silently. The change in npm v12 means packages will need explicit developer permission to run install scripts, dramatically reducing the blast radius of a poisoned package.
Source: The Hacker NewsA researcher called Chaotic Eclipse โ who previously discovered the RoguePlanet Windows Defender flaw โ accidentally found a technique that bypasses BitLocker, Microsoft's full-disk encryption. The attack, called GreatXML, works by placing specially crafted XML files in Windows' recovery partition โ a small hidden section of your drive used for system repairs. When Windows reads these files during a recovery operation, it can be coaxed into revealing or bypassing encryption in ways it shouldn't. BitLocker is the feature many organizations rely on to ensure stolen laptops don't expose their data. This research suggests that reliance may be misplaced in certain scenarios.
Source: The Hacker NewsA ransomware group called The Gentlemen (also tracked as Phantom Mantis) has claimed 478 victims. What makes it unusual: the ransomware can self-propagate across a network like a worm โ it doesn't need a person to manually deploy it on each machine. The group is believed to be Russian-led and draws its talent from former affiliates of LockBit, Qilin, and Medusa โ three ransomware groups that were disrupted by law enforcement in 2024 and 2025. The criminal ecosystem reorganizes after each takedown, and The Gentlemen appear to represent the latest recombination.
Source: The Hacker Newsโ๏ธ Active Attacks
The ShinyHunters group (tracked as UNC6240) breached multiple universities and stole data by exploiting a flaw in Oracle PeopleSoft โ the HR, financial, and student records software used by hundreds of universities and large organizations. The flaw, CVE-2026-35273, is a zero-day with a CVSS score of 9.8 โ about as bad as it gets. Attacks ran from May 27 to June 9. Oracle's advisory wasn't released until June 10. That means the flaw was a true zero-day for the entire duration of the attacks โ Oracle had no idea it existed until after victims were already compromised.
What you can do: If your organization uses Oracle PeopleSoft, apply the June 10 advisory patch immediately. Review access logs for unusual activity between May 27 and June 10. ShinyHunters' typical model is to steal data and demand payment for its deletion โ if compromised, engage legal counsel before responding to any ransom demands.
Source: The Hacker News๐ New Vulnerabilities
Unauthenticated remote code execution in Oracle PeopleSoft โ the software used by universities, hospitals, and large organizations to manage HR, finance, and student records. No login required. Actively exploited for 13 days before Oracle issued an advisory. Universities were the primary targets in the documented campaign, but PeopleSoft deployments in any sector should be considered at risk.
Patch immediately from Oracle's June 2026 advisory. Investigate logs for compromise between May 27 and June 10. Restrict PeopleSoft to internal network access only.
XML files placed in Windows' recovery partition can bypass or weaken BitLocker disk encryption under certain conditions. Discovered by Chaotic Eclipse, the same researcher behind the RoguePlanet Windows Defender flaw. Microsoft has not yet issued a patch or advisory.
No patch available. Monitor Microsoft security advisories. For high-value systems, consider supplementing BitLocker with pre-boot authentication (a PIN or USB key) which adds a layer BitLocker bypass techniques typically cannot overcome.
Not a single vulnerability โ a structural risk. Any npm package can run arbitrary code on a developer's machine at install time. This has been used repeatedly in supply chain attacks to deploy malware silently. npm v12 will disable this by default.
Update to npm v12 when available. In the meantime, audit packages before installing them โ tools like Socket.dev flag packages with suspicious install scripts before you run them.
๐ New Tech
The Gentlemen ransomware group's self-spreading capability is a reminder that most organizations' endpoint defenses are designed to stop malware at the entry point โ but once inside, a self-propagating worm can spread faster than security teams can respond manually. The defensive technique designed for this scenario is called network segmentation: dividing your network into isolated zones so that malware that gets into one zone can't automatically reach everything else. Think of it like watertight compartments in a ship โ if one section floods, the others stay dry. Most enterprise firewall products support segmentation, but many organizations never fully implement it. A ransomware worm that can self-propagate makes segmentation worth revisiting as a priority project, not a future nice-to-have.
๐ก Deep Dive
Most security discussions assume a simple timeline: someone finds a flaw, they tell the software company, the company fixes it, users update, and everyone is safer. The Oracle PeopleSoft situation this week shows how different reality can be.
PeopleSoft is enterprise software that Oracle sells to universities, hospitals, and large organizations for managing HR, finance, and student records. It holds some of the most sensitive data those organizations have: payroll records, financial accounts, student grades, employee personally identifiable information. It's also, critically, often accessible from the internet โ because university staff and students log in from off campus.
On May 27, a group called ShinyHunters started exploiting a flaw in PeopleSoft. They didn't report the bug to Oracle first. They didn't publish research and give Oracle time to respond. They just used it โ quietly, against real targets, with no warning. The flaw is CVE-2026-35273: unauthenticated remote code execution, rated 9.8 out of 10 on the CVSS severity scale. No login required. Just send a crafted request to the internet-facing PeopleSoft server and you're in.
Oracle's advisory didn't come out until June 10. That's 13 days after the attacks started. For those 13 days, there was no patch. No workaround. No public warning. Universities had no way to know they were being actively attacked through a vulnerability that didn't officially exist yet.
This is what a true zero-day looks like in practice. Not a research demo. Not a theoretical scenario. Attackers with stolen data. Universities whose student and employee records are now in someone else's hands.
ShinyHunters' business model is straightforward: they steal data and contact the victim organization. Pay them, and they claim they'll delete it. Don't pay, and they publish it or sell it on dark web forums. It's extortion, not ransomware in the traditional sense โ they don't encrypt files, they just take them. The practical advice: if you receive contact from ShinyHunters, engage legal counsel immediately before responding. Payment decisions have legal implications that go beyond just the ransom amount, especially for organizations that handle personal data covered by privacy laws.