April 2026 was the worst single month for cyber attacks on record. 105 publicly disclosed ransomware incidents globally, the highest April since tracking began. The UK ranked third by volume with 30 confirmed attacks. Healthcare was the only sector where attacks rose month-on-month.
Looking back at the month with a week's distance, three patterns matter more than the count.
Pattern one: discovery latency
The defining failure mode of April 2026 was not detection. It was disclosure.
The cPanel zero-day, CVE-2026-41940, was actively exploited in the wild for months before cPanel disclosed it on 30 April. The Nginx UI authentication bypass (CVE-2026-33032) was being exploited against deception-technology honeypots from 1 April; the patched advisory came two weeks later. The Canvas LMS intrusion at Instructure began on 25 April; the company detected it on 29 April and disclosed publicly on 1 May.
In all three cases, the time between exploitation and public disclosure was longer than the time between public disclosure and the start of incident response everywhere else. By the time defenders knew the threat existed, attackers had been operating against it for weeks.
This pattern is not new — it has been the dominant failure mode in supply chain compromise for years — but April made it clean enough to draw conclusions from. The implication for boards is that time-to-patch is the wrong metric in isolation. The metric that pairs with it is time-to-know-the-patch-is-needed. Without both, the patching programme is optimising the wrong half of the problem.
Pattern two: attribution as a public act
The 23 April NCSC/CISA joint advisory on China-nexus covert networks is the first time the UK has publicly attributed a covert botnet operation to a specific commercial entity. The advisory names Beijing-headquartered Integrity Technology Group as the manager of the Raptor Train botnet — a network of more than 200,000 compromised devices worldwide, infrastructure now linked to the majority of Volt Typhoon and Flax Typhoon activity.
This shift matters more than the technical content of the advisory. Public attribution carries diplomatic, legal, and procurement consequences that careful avoidance of attribution previously did not. Firms in regulated sectors should expect that public attribution events become reference points — for sanctions assessments, for supplier risk decisions, for the conversations procurement teams have to have about exposure to named entities.
The Sir David Davis MP incident in the same week — his constituency website hit with 142 million requests over twenty-four hours, with traffic traced to China — is the operational companion. State-aligned activity is no longer something that happens to faceless infrastructure; it happens to named individuals whose names are in Hansard.
Pattern three: the supply chain as primary attack vector
ChipSoft was the headline. The Dutch electronic health record vendor's ransomware compromise on 7 April took out EHR services across roughly 70% of Dutch hospitals and several Belgian facilities. Patient care continued with manual workarounds; appointments were delayed; access to records was restricted. The attack vector has not been publicly disclosed. The impact was sector-wide.
Autovista, a UK-based data analytics provider serving the automotive sector across Europe and Australia, was hit the same month. The firm is not a household name. It is the kind of supplier whose data underpins insurance pricing, fleet management, and resale market intelligence. Its outage has knock-on effects in regulated sectors that are still being assessed.
And underneath both — quieter, but probably more consequential in the long run — the Mini Shai-Hulud worm compromised 84 npm package artefacts in TanStack's release pipeline on 11 May, with a second wave hitting the @antv ecosystem on 19 May. Both waves were published through legitimate release pipelines using trusted OIDC identity. The compromised packages were cryptographically indistinguishable from real ones by provenance attestation. This is the failure mode where the supply chain attack vector becomes invisible even to the audit mechanism designed to detect it.
April was a month in which the visible supply chain attacks — ChipSoft, Autovista — distracted attention from the invisible ones, which will produce worse outcomes over a longer horizon.
What the 105 number obscures
The headline of 105 ransomware incidents is impressive but slightly misleading. The number counts publicly disclosed events. It does not count compromises that were detected and contained without disclosure. It does not count compromises that have not yet been detected.
The cm-alliance and Comparitech tracking gives one number; the NCSC's own incident management figures (extrapolating from the 204 nationally significant incidents over the previous twelve months) give another; the underlying universe of compromise is bigger than both. What the 105 tells you is that the threshold for becoming public has been crossed by more incidents this April than in any previous month. The threshold itself has not been moving in a way that explains the rise. The volume has.
What April taught me
Two things, in order of importance.
The first is that the "for boards" question is no longer are we at risk. The answer is yes. The question is how would we currently find out about it. Every one of April's headline incidents had a discovery-latency problem at its centre. The boards that survive 2026 in good shape will be the ones that have invested in detection capability disproportionately to the rest of the security programme.
The second is that the regulatory and diplomatic environment has shifted. Public attribution, named entities, ministerial letters, joint statements — these are not background noise. They are the new operating conditions for any firm that touches critical infrastructure, regulated data, or government supply chains. The firms that read these signals as routine bureaucratic output rather than directional intelligence will be caught out by the next round of supervisory letters.
For boards
Four questions worth taking into the next meeting, derived from April rather than recited at it.
Of the critical software in our estate, how much is supplied by vendors whose own disclosure record we can describe in detail? How much is supplied by vendors we have never heard from on a security topic? The gap between those two numbers is your supplier transparency problem.
If a vulnerability comparable to CVE-2026-41940 had been live in our environment for three months before disclosure, what is the latest moment we would have noticed it through our own detection — and what would have made us notice? The honest answer is rarely "soon enough".
Have we mapped our supplier dependencies against the entities named in NCSC's April advisories? If not, when will we? This is now a quantifiable risk for any firm in CNI scope, and the question is not "do we have exposure" but "do we know what our exposure is".
If we suffered a ChipSoft-shaped incident next month — a critical SaaS or sector-shared provider compromised by ransomware for five to ten days — what would happen in the first forty-eight hours, named individual by named individual? If the answer is unclear, the playbook is the work.
The closing observation
April was bad. May has been worse for some sectors and better for others, and the early data on June suggests the pattern continues. The boards that internalise the discovery-latency lesson, the attribution lesson, and the supply chain lesson now will be the ones whose 2026 annual report reads as well-governed. The boards that wait will be the ones explaining themselves to the regulator.
The choice is being made now, in the calm window between months. It is rarely made well after the noise starts.