One of the most interesting things about the recent TrapDoor malware campaign isn’t the malware itself. It’s the scale of the trust being abused. Researchers identified malicious packages spreading simultaneously across npm, PyPI, and Crates.io, effectively targeting JavaScript, Python, and Rust development ecosystems all at once. That alone tells us something important about the direction cyber attacks are moving. Attackers increasingly see developers and software pipelines

The Shai-Hulud malware campaign is becoming a pretty brutal case study in why software supply chain security is now a business risk, not just a developer problem. Researchers recently identified four malicious npm packages containing variants of the malware: Chalk-tempalte @deadcode09284814/axios-util Axois-utils color-style-utils And yes, those names are intentionally designed to look legitimate enough that someone moving quickly might not notice. That’s exactly what makes a

The recent Canvas breach is a good reminder that third-party integrations are often the fastest route into an organisation. Not because vendors are careless, but because modern businesses are now deeply interconnected. One compromised platform can create a ripple effect across thousands of organisations in hours. For those of us too old or childless to know, Canvas is one of the leading learning management systems used by schools, colleges, and universities. It handles course

What Is React2Shell? React2Shell is a recently disclosed vulnerability that affects applications built with React, one of the most widely used frontend frameworks in the world. At a high level, the issue allows attackers to chain together frontend weaknesses with backend behaviour in a way that can escalate from client-side input to server-side command execution. In other words, something that starts in the browser can end with attackers running code on your servers. That’s w

What’s Going On As Microsoft ends support for Windows 10 in October 2025, the NHS has found itself in a bind. Many hospitals and trusts still rely on medical devices and specialist equipment that can’t yet run Windows 11, simply because suppliers haven’t updated or certified their software for it. According to reports, while most NHS desktops and laptops are now on Windows 11, a small but significant number of clinical and diagnostic machines remain on Windows 10. These devic

Recently, researchers discovered a significant vulnerability in the Atlas browser that allowed malicious actors to inject commands into the browser’s AI agent by disguising them as URLs or using cross-site request forgery (CSRF). For startups and scale-ups, this is more than a headline, it’s a lesson in how you adopt new tools. It’s easy to get excited about cutting-edge tech, especially when it promises efficiency or innovation. But if you’re not assessing the risks, you mi

What Happened at Asahi What we do know: On September 29, 2025 , Asahi Group Holdings (Japan’s largest brewer) suffered a cyber-attack...

A Brief History of LockBit LockBit is one of the most persistent and high-impact ransomware families operating today. It began in 2019...

What CVE-2025-10585 Is Here’s what we know so far (as of mid-September 2025): The vulnerability is a zero-day, meaning attacks are...

A Quick Recap of the Attack On 16 September 2025, attackers exploited a GitHub Actions injection vulnerability to steal Nx’s NPM...

If you're part of a charity team, whether a founder, trustee, or operations lead, you already know how tight budgets and time are. But...

Password managers are a great tool. They help teams avoid reusing weak passwords, keep track of dozens (sometimes hundreds) of logins,...

This is a cautionary tale for founders and GRC leads: DaVita, a major kidney dialysis provider, was hit by a ransomware attack that...

Imagine a hacker buying a genuine .gov or .police email account for as little as $40 and using it to trick your team into opening malware...

You might be familiar with Blacksuit , the successor to royal, who defrauded 450 victims of over $370m since mid 2023 via Ransomware ....

This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released Thorium , a powerful open-source platform for...

🚨 Heads up: Microsoft is enforcing DMARC policies by 5th May 2025. If you don't want your emails being delivered to the junk folder,...

If you run a small business or startup, you know that cybersecurity is important—but hiring a full-time Chief Information Security...

The most common questions I'm asked by small business or startups thinking about ISO 27001 certification are of course: how long will it...

I've recently delivered an awareness session for a client on how to prevent social engineering. Social engineering is one of my all time...