The week in cyber — 18 to 22 May 2026

A self-spreading npm worm, a government letter that boards should read, and the second-quietest Patch Tuesday in two years. What the past working week looked like through a UK board lens.

Five things from the past working week that a UK board should know about, in the order they would matter if you had to brief a chair over coffee on Monday morning. I have left out the noise. Where I have left something in, it is because there is a decision attached to it.

1. A self-spreading npm worm went round again

On 19 May the Mini Shai-Hulud worm published more than 320 malicious package versions across the @antv data visualisation ecosystem on npm, in a 22-minute automated burst. The malware harvests developer secrets and cloud credentials, establishes persistent command-and-control access, and propagates itself to further packages using the stolen npm tokens. Microsoft published its analysis on 20 May; NHS England Digital issued an advisory on the broader supply-chain attack the same week.

This is the fourth wave of the same toolchain, attributed to a group calling itself TeamPCP, which has now also hit Aqua Security's Trivy scanner and the Bitwarden CLI npm package in earlier outings this year. The novelty in May's wave was that compromised packages were published through legitimate release pipelines using trusted OIDC identity — meaning the malicious versions were cryptographically indistinguishable from real ones by provenance attestation.

For boards. If your engineering team builds anything with JavaScript or TypeScript (this is most firms), you have an exposure here. The right board question is not “are we patched” — that frame does not apply to supply-chain compromise. It is “do we have an inventory of which npm packages we depend on, and do we know how we would find out if one of them turned hostile within the next two hours?”

2. The Cabinet Office wrote to business leaders about AI-driven attacks

On 20 May ministers published an open letter to UK business leaders warning that AI is accelerating cyber threats, making attacks faster, cheaper, and easier to scale. New AI tools can find software vulnerabilities and generate exploits at a speed that would have been unthinkable a year ago. The letter is short, public, and pointed.

Letters of this kind are usually filed under “noted” and then forgotten. This one is worth not filing, for two reasons. The first is that it gives an externally-anchored mandate for any board that wants to push their executive on AI readiness without sounding alarmist — the Cabinet Office wrote us a letter lands differently than the CISO is worried. The second is that it signals where the government's published expectations are heading, which is into regulator territory.

For boards. Read the letter, minute that you have read it, and ask the executive what their response is. The minuting is the point — if a serious incident lands later in the year, the existence of that minute is the difference between a defensible board and an embarrassed one.

3. The Cyber Security and Resilience Bill moved to Report Stage

The Bill that updates the Network and Information Systems Regulations 2018 reached Report Stage in the House of Commons on 14 May, and continues to move. It expands the scope of UK CNI obligations and gives regulators sharper teeth on incident reporting and supply-chain due diligence.

The substance has not changed much since the second reading in January, but the political clock is now real. Firms in the existing NIS scope — and the wider set the Bill will pull in — should expect to be tested against a more demanding set of obligations within twelve months.

For boards. If you are in scope, the executive should be presenting a delta analysis by the next meeting. If you are not sure whether you are in scope, that is itself the answer: the Bill is widening that net deliberately, and now is the cheap moment to find out.

4. The South Staffordshire Water fine quietly recalibrated the ICO

On 7 May the Information Commissioner's Office issued a £963,900 fine against South Staffordshire Plc and South Staffordshire Water Plc, following the Cl0p-linked cyber attack that began in September 2020. The original cause was a successful phishing email that allowed malware to sit undetected on the network for twenty months.

It is not the size of the fine that matters — it is what was fined. The ICO has been increasingly explicit, including in its five-step guide on AI-powered cyber threats published 15 May, that inadequate security measures preceding the breach are doing more enforcement work than the breach itself. South Staffordshire is the latest data point along the line that runs through Capita and Advanced Computer Software in 2025: the regulator is calibrating against the controls you can evidence, not the incident report you filed afterwards.

For boards. The defensible position is no longer “we had a breach, we responded well”. It is “we can demonstrate the controls we had in place before the breach”. Those are very different evidential exercises.

5. Microsoft's Patch Tuesday was unusually quiet — which is itself notable

The May Patch Tuesday addressed 118 to 120 vulnerabilities depending on which vendor you count by, with 16 rated critical. For the first time since June 2024, no zero-days were actively exploited at release. Worth a note: CVE-2026-41089 (Netlogon RCE, CVSS 9.8) and CVE-2026-41096 (DNS Client RCE, CVSS 9.8) are the two to prioritise in patch scheduling.

A quiet month is welcome, but it should not be taken as evidence that the tide has turned. The April set included the cPanel zero-day that had been exploited for months before disclosure; the absence of public zero-days in May tells you less about the threat landscape than the patch backlog you carry into June.

For boards. Useful pulse-check: ask the executive what the average time-to-patch is on critical-rated CVEs across the production estate. If the answer is more than a calendar week and there is no exception process documented for the rest, that is a gap worth surfacing.

The thread that ties this together

Four of these five stories are about something that is hard to see and easy to ignore: supply chains, dependencies, the slow accretion of obligations, controls that exist on paper but cannot be evidenced under examination. Boards are good at reacting to single incidents and weak at reacting to gradual exposure. The week's news, taken together, is a quiet argument for spending more agenda time on the second category.

If you want one question for the next board meeting, this is it: what could happen this year that we would only realise we should have been watching with the benefit of hindsight?

That answer is usually the work.