ShinyHunters exploited a CVSS 9.8 Oracle PeopleSoft zero-day (CVE-2026-35273) to steal 40GB of Nottingham student data and hit 100+ orgs, with 68% in higher ed. Microsoft patched a live-exploited Exchange Server spoofing bug (CVE-2026-42897) in OWA on Patch Tuesday. And npm 12 will disable install scripts by default in July to kill the Shai-Hulud worm's favorite attack surface.

Nottingham Uni Breached , Exchange Email Spoofing , GitHub p

Hey guys, Mr. Technology here — three security stories in one digest, and they're all bad in different ways.

What You Need to Know: ShinyHunters stole 40GB of student records from the University of Nottingham by exploiting a 9.8-rated Oracle PeopleSoft zero-day, while Microsoft patched an actively exploited Exchange Server spoofing flaw (CVE-2026-42897) on Patch Tuesday, and GitHub confirmed npm 12 will disable install scripts by default in July to choke the Shai-Hulud worm attack chain.

Story 1: ShinyHunters pwns 100+ orgs through a PeopleSoft zero-day

The University of Nottingham is the canary, not the casualty. On June 9, 2026, the extortion crew ShinyHunters (tracked by Mandiant as UNC6240) confirmed to The Register that it had exploited CVE-2026-35273, a CVSS 9.8 unauthenticated remote-code-execution bug in Oracle PeopleSoft PeopleTools 8.61/8.62, against more than 100 organizations. The group exfiltrated 40GB of personal data and billing records belonging to hundreds of thousands of current and former students at the UK university, then posted the lot to its leak site after the school refused to pay.

Google's Threat Intelligence Group corroborated the claim in a Thursday report, saying it observed exploitation of CVE-2026-35273 between May 27 and June 9 and notified 100+ global orgs whose IPs correlated with vulnerable endpoints. 68% of those organizations are in higher education, and most are US-based. PeopleSoft runs HR, payroll, billing, supply chain, and student records at large institutions, so a single pre-auth RCE in the Environment Management Hub component (PSEMHUB) means an attacker can authenticate as a privileged user and pivot into the entire data warehouse.

Oracle issued an out-of-band security alert on Wednesday, a day after the university confirmed the breach, and Mandiant CTO Charles Carmakal warned on LinkedIn that patches "should come soon." As of this writing, no permanent patch is publicly available — only mitigations.

Story 2: Microsoft Exchange gets a live-exploited spoofing bug

CVE-2026-42897 is a high-severity cross-site scripting flaw in on-prem Exchange Server (2016, 2019, and Subscription Edition) that lets an attacker send a specially crafted email and run arbitrary JavaScript in the user's Outlook Web Access session. Microsoft confirmed active exploitation in mid-May, rolled out an automatic temporary mitigation via the Exchange Emergency Mitigation Service, and shipped a real fix in the June 2026 Patch Tuesday cycle.

"An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context," the Exchange Team wrote. Microsoft is now telling admins to deploy the June SU "as soon as possible" and leave the EEMS mitigations in place "for additional protection."

Story 3: GitHub pulls the pin on npm install scripts

This one was a long time coming. GitHub maintainer Leo Balter announced that npm 12, due in July, will no longer run preinstall, install, or postinstall scripts by default. Developers will have to allowlist them explicitly via a new allow-scripts field, which will be pinned to the installed package version. Two more defaults flip: --allow-git becomes off (closing the path where a malicious .npmrc overrides the Git binary to get RCE), and allow-remote becomes none (blocking remote URL dependencies).

The change is a direct response to the Shai-Hulud worm, which used postinstall hooks to spread across the registry. "Install-time lifecycle scripts are the single largest code-execution surface in the npm ecosystem," Balter wrote. "Every npm install runs scripts from every transitive dependency, so a single compromised package anywhere in your tree can execute arbitrary code on a developer machine or CI runner."

These flags have been available as opt-in since npm 11.10 in February; July just flips the switch. The break is real: native modules (Playwright, Puppeteer, Electron, anything that compiles on install) all need explicit approval. Run the audit command, allowlist what you need, and pin it.

The Take

Three stories, one underlying point: the supply chain — of students, of email, of dependencies — is the actual attack surface in 2026. The Nottingham breach wasn't a clever phishing campaign. It was a single unpatched component, 300 vulnerable instances on the public internet, and an extortion crew that automated the rest. Exchange CVE-2026-42897 didn't need credentials or user interaction beyond opening an email. And npm's default behavior for the last decade has been "execute whatever code the maintainer of any package anywhere in your tree wants to run." That era is over.

If you're running a Terraform module that pulls a PeopleSoft connector, a Microsoft shop that still has on-prem Exchange, or a Node app with a 2,000-package dependency tree, today is the day to ask your CISO or platform lead what the plan is. Don't wait for the patch you'll wish you'd pre-staged.

Quick Summary

ShinyHunters used a pre-auth 9.8-rated CVE-2026-35273 in Oracle PeopleSoft to hit 100+ orgs (68% in higher ed), starting with 40GB of Nottingham student data. Microsoft's June Patch Tuesday fixed a live-exploited Exchange Server XSS/spoofing bug (CVE-2026-42897) in OWA. And npm 12 will disable install scripts by default in July to kill the Shai-Hulud worm's favorite move.

Sources: