Oracle let a perfect 9.8 run wild for two weeks and only mentioned it afterwards. Meanwhile, the AI tools meant to write your code are being quietly talked into running someone else's.
The extortion crew ShinyHunters spent the back half of May walking into enterprise systems through an unpatched hole in Oracle PeopleSoft, lifting data and demanding money to keep it quiet. Google's Mandiant, tracking the group as UNC6240, dates the campaign between 27 May and 9 June. Oracle's advisory did not land until 10 June — which means the flaw was a live zero-day for the entire run.
The bug, CVE-2026-35273, is a remote code execution defect in PeopleSoft Enterprise PeopleTools rated a near-flawless 9.8 out of 10. No login. No user interaction. Just HTTP access to the server and you own it. Universities took the heaviest beating, which is the predictable outcome of pairing public-facing legacy ERP with skeleton security budgets.
"Mitigated" is doing an enormous amount of work in Oracle's phrasing — the company has still not confirmed in-the-wild exploitation it plainly knew about.
The lesson is not that PeopleSoft is fragile; everyone knew that. It is that the disclosure clock ran in the attackers' favour by design. If your patch window starts the day the vendor admits the problem, you were already a fortnight behind the people who found it first.
Two disclosures this week say the same uncomfortable thing from different angles: the AI agents bolted onto modern development are a fresh, soft attack surface. Researchers at Tenet Security described "Agentjacking" — tricking AI coding agents into executing arbitrary code on a developer's machine by feeding them a fake error report crafted in Sentry, the open-source error-tracking platform. The agent reads the planted "bug," dutifully tries to fix it, and runs the payload.
In parallel, a chain of three now-patched flaws in LangGraph — LangChain's framework for stateful, multi-agent applications — could be strung together into remote code execution on self-hosted deployments, including an SQL injection in one of its functions.
The pattern is the part worth your attention. We have spent a decade teaching developers not to trust input. We are now handing that same untrusted input to an eager autonomous process that has shell access and no instinct for self-preservation. The threat model didn't change — we just gave it hands.
| CVE / Item | Severity | Product | Note |
|---|---|---|---|
| CVE-2026-35273 | Critical · 9.8 | Oracle PeopleSoft PeopleTools | Unauthenticated RCE over HTTP. Exploited as a zero-day by ShinyHunters before disclosure. |
| Defender Recovery-Mode PoC | High | Microsoft Defender | Public proof-of-concept abuses the offline scan to spawn a SYSTEM shell on reboot into Recovery Mode. |
The through-line on the patch landscape today is trust abuse: both items weaponise a process that is supposed to be safe — an ERP server doing its job, a security tool doing a scan. Defensive tooling earns the deepest privileges on a box, which makes it the most attractive thing to subvert. Audit your recovery and scanning paths, not just your perimeter.
An INTERPOL-led operation, codenamed Operation Ramz, disrupted Sniper Dz — a phishing-as-a-service platform that had been operating for roughly ten years. According to Group-IB, the effort ran from October 2025 to February 2026 and produced 201 arrests across 13 countries in the Middle East and North Africa.
It pairs with a separate action on 10 June against the operators of AudiA6, suspected of also running a dark-web crime forum known as Dark2Web. Two takedowns, one quiet truth: the crime economy is now a subscription business. You don't break in anymore — you sign up. Dismantling the storefront matters more than catching any single buyer, because the storefront is the multiplier.
A Cybernews survey this week found most Britons have no idea how much their smart devices are quietly harvesting — the ambient surveillance most people agreed to without reading. File it next to the running industry argument over Claude Fable 5, where the debate has shifted from "what can it do" to dual-use capability, safeguards, and tiered access.
Notice the shape of today's edition: an AI framework chained into RCE, coding agents talked into running malware, a frontier model debated as a dual-use tool. The security story of 2026 isn't a new exploit class — it's that the most capable software we've ever built is simultaneously the best defender and the most willing accomplice. Same model. Depends entirely who's prompting.