Four things from the past working week that a UK board should know about, in the order I would raise them with a chair over coffee on Monday. A quieter week than the last, but not an idle one: allied governments named the Russian service picking over your routers, Microsoft shipped its largest patch on record, and the Bill I flagged last week reached the Lords. I have left the noise out. What survives has a decision attached.
1. Nineteen agencies named the service that is scanning your routers
On Monday 13 July the NCSC joined eighteen partner agencies from twelve other countries to warn that poorly configured routers are the way in for Russian state actors, in a joint advisory catalogued by CISA as AA26-194A. The named actor is FSB Centre 16 — the group also tracked as Berserk Bear, Energetic Bear and Static Tundra. The method is not exotic. They scan the internet for network devices still running SNMP version 1 or 2 with default or weak community strings, and for known unpatched flaws, then sit quietly on the ones that answer. The sectors flagged as most at risk are communications, defence, energy, financial services, government and healthcare.
For boards. This is the device nobody audits. Ask who owns the routers and network appliances on your perimeter, when their firmware was last updated, and whether SNMP is still running an old version with a community string somebody set in 2019. If nobody in the room can answer, that silence is the answer, and it is the same one the FSB is listening for.
2. Microsoft shipped its largest patch on record, and two flaws were already being used
Tuesday 14 July brought a Patch Tuesday that fixed a record 570-plus vulnerabilities, three of them zero-days. The headline number is noise. The two that matter are the ones Microsoft confirmed were already being exploited, both now added to CISA's Known Exploited Vulnerabilities catalogue. CVE-2026-56155 is an elevation-of-privilege flaw in Active Directory Federation Services that hands an attacker administrator rights. CVE-2026-56164 is a missing-authentication flaw in SharePoint Server that lets an unauthenticated remote attacker elevate privileges over the network. SharePoint, again.
For boards. Do not let the count distract from the two. ADFS sits under your single sign-on and SharePoint holds your documents, so both are worth a fast lane rather than the monthly cycle. Ask whether they were patched within days of the fifteenth, and whether anyone checked for signs the flaws had already been used before the patch went on. A clean patch record is not the same as a clean estate.
3. The Bill I flagged last week reached the Lords
Also on 14 July, the Cyber Security and Resilience Bill had its second reading in the House of Lords, taken through by Baroness Lloyd of Effra for the government. The Bill amends the NIS Regulations 2018, pulls more sectors into scope, tightens incident-reporting duties, and gives the secretary of state power to issue directions to organisations on national-security grounds. Last week I wrote that a voluntary pledge landing quietly is usually the prelude to a statutory duty. Here is the duty, moving through its stages.
For boards. If you run an essential or digital service, the reporting clocks and supply-chain obligations are the clauses to read now, while they can still be shaped in committee rather than simply inherited at Royal Assent. The firms that engage with a Bill at second reading tend to be the ones not surprised by it eighteen months later.
4. A poisoned npm package that install-time defences do not stop
Last week's supply-chain story was npm blocking install scripts. This week's is the sequel that walks around them. On 14 July attackers compromised unprotected release branches of the widely used AsyncAPI project and published trojanised packages carrying the Miasma remote-access trojan — the specs package alone pulls around 2.7 million downloads a week. The detail that matters is in Microsoft's analysis: the payload runs at module-load time, on import, not on install. So the standard mitigation of installing with scripts disabled does nothing, because no install script ever runs. The malware harvests SSH keys, npm and GitHub tokens, AWS secrets and browser data.
For boards. The uncomfortable part is that this bypassed the control a lot of teams have only just adopted. Ask whether the build pipeline pins its dependency versions, and whether a compromised package four levels down the tree could reach production without a single human reviewing the change. If the working assumption is that the registry can be trusted, that assumption is now the vulnerability.
The thread that ties this together
Every problem this week lives somewhere nobody looks: the router in the comms cupboard, the federation server behind single sign-on, the transitive dependency deep in the build. None of them are new systems and none needed a clever exploit. The FSB is scanning for defaults, not zero-days. The npm attackers did not break the registry, they walked in through a release branch nobody had protected. And the Bill is Parliament's slow way of putting a name against the unglamorous hygiene that keeps being skipped because it is nobody's job in particular.
So the question to carry into next week is not about a new threat. It is this: name the three systems in your estate that no single person owns. Then ask who would pick up the phone when the regulator rings about one of them.