Attackers are turning trusted campus systems into covert entry points, as a zero-day in Oracle PeopleSoft let intruders run administrative commands and plant disguised MeshCentral agents before a patch landed. Cyware tracked over 100 organizations exposed in this campaign, with 68% of victims in higher education—putting HR, finance, and supply-chain workflows at risk of operational disruption.

Ransomware crews are slashing through defenses at scale: the Gentlemen operation, led by LARVA-368, has already claimed 478 victims since March 2025. By exploiting known vulnerabilities and leveraging custom tools, Gentlemen is driving downtime, data loss, and extortion pressure across the U.K., Germany, and beyond—leaving a trail of encrypted systems and exposed affiliate structures.

Developers building on Solana face a new supply-chain threat as Solana FakeFix poisons npm and PyPI with 20 malicious packages. These tainted dependencies, pushed as “stable-build fixes,” steal wallet keys and cloud credentials, turning a routine install into a compromise that can ripple through CI pipelines and shared environments.

Top Malware Reported in the Last 24 Hours

PeopleSoft zero-day campaign

The PeopleSoft zero-day is a critical exploitation campaign targeting Oracle PeopleSoft systems to gain unauthorized access and execute administrative commands. Attackers use the PeopleSoft zero-day to plant customized MeshCentral agents disguised as legitimate services, maintaining covert, long-term access. The PeopleSoft zero-day enables persistent control over HR, finance, and supply-chain workflows by bypassing standard authentication. Attackers deliver the malware by exploiting the flaw before Oracle issued an advisory on June 10. The campaign disproportionately targets higher education, with 68% of over 100 notified organizations in that sector. Google Threat Intelligence Group and Mandiant identified the activity and coordinated notifications.

Gentlemen ransomware

The Gentlemen ransomware is an extortion-focused malware operated by LARVA-368. Gentlemen exploits known vulnerabilities including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073 to gain initial access, then uses tools such as TaskHound, PrivHound, and CertiHound for privilege escalation and defense evasion. Gentlemen encrypts systems using a hybrid scheme based on X25519 and XChaCha20, clears Windows Event Logs, and disables Microsoft Defender. The ransomware is delivered through exploitation of unpatched systems and is promoted via underground forums and an affiliate program. Gentlemen targets organizations in the U.K., Germany, and other regions. A leak of the group’s internal Rocket.Chat database revealed operational details and affiliate structures.

Solana FakeFix supply-chain campaign

The Solana FakeFix campaign is a supply-chain attack that distributes 16 malicious npm packages and 4 PyPI packages impersonating Solana tooling. Solana FakeFix executes attacker-controlled code during installation or import, targeting developer credentials such as Solana wallet keys, SSH keys, and AWS credentials. Solana FakeFix is delivered via GitHub issue spam and packages pushed as “stable-build fixes” by the account PassWord1337. The campaign targets developers and CI environments building on Solana. Over time, Solana FakeFix evolved from simple backdoors to trojanized libraries that append malicious code to legitimate JavaScript bundles.

Top Threat Actors Reported in Last 24 hours

ShinyHunters

The ShinyHunters cybercrime group (aliases not specified) is suspected to originate from an unknown region and is primarily motivated by mass data theft. ShinyHunters exploits CVE-2026-35273 in Oracle PeopleSoft to gain unauthorized access, deploy customized MeshCentral agents, and use scripts such as [victim_abbreviation]_fanout[.]sh to move laterally and exfiltrate data. ShinyHunters targets US higher education, with 68% of over 100 affected organizations in that sector. The group’s recent campaign breached the University of Nottingham, impacting data tied to over 450,000 individuals, and exfiltrated sensitive records including passport numbers, addresses, and email addresses. Researchers from Google Threat Intelligence Group and Mandiant documented the operation, which also leveraged public DLS mirrors for data staging. ShinyHunters’ history includes the Odido breach, which exposed data from over six million individuals.

Frequently Asked Questions

1. What is Oracle PeopleSoft? Oracle PeopleSoft was hit by a zero-day campaign that attackers actively exploited from May 27 to June 9, gaining unauthorized access before Oracle issued an advisory on June 10. The intruders used the flaw to run administrative commands and then planted customized MeshCentral agents disguised as legitimate services to keep covert, long-term access.

2. What is Gentlemen? Gentlemen, a ransomware operation led by LARVA-368, has claimed 478 victims since March 2025 and advertises itself aggressively on underground forums. It breaks into environments by exploiting known flaws including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073, then uses tools such as TaskHound, PrivHound, and CertiHound to escalate access and evade defenses.

3. What is Solana FakeFix? Solana FakeFix is a supply-chain campaign that tricks developers into installing 16 malicious npm packages and 4 PyPI packages that impersonate Solana tooling to steal secrets. The packages include names such as @solana-labs/web3.js, @solana-labs/spl-toke, solana-web3-stable, and solana-rpc-client, pushed as “stable-build fixes” through GitHub issue spam tied to the account PassWord1337.

4. What is ShinyHunters? ShinyHunters, a cybercrime group known for mass data theft, has been exploiting a PeopleSoft zero-day to break into university systems and pull out sensitive records at scale. Between May 27, 2026, and June 9, 2026, they used CVE-2026-35273 in Oracle PeopleSoft’s Environment Management component to gain unauthorized access, deploy malicious agents and scripts, and exfiltrate data from affected environments.

5. What is CVE-2026-35273? ShinyHunters, a cybercrime group known for mass data theft, has been exploiting a PeopleSoft zero-day to break into university systems and pull out sensitive records at scale. Between May 27, 2026, and June 9, 2026, they used CVE-2026-35273 in Oracle PeopleSoft’s Environment Management component to gain unauthorized access, deploy malicious agents and scripts, and exfiltrate data from affected environments.