Cyber: state actors and supply‑chain

Britain’s cyber agency says the country now faces about four nationally significant cyberattacks a week, and the most serious are increasingly tied to hostile states. (ncsc.gov.uk) National Cyber Security Centre chief Richard Horne said the agency handled a record 204 nationally significant incidents in the year to September, up from 89 a year earlier. He said Russia, Iran and China now sit behind the gravest threats, even as ransomware and online fraud still generate much of the day-to-day disruption. (computerweekly.com) A nationally significant attack is the kind of breach that can hit essential services, major companies or government systems, not just one laptop or one small office. Horne used his CyberUK speech on April 22, 2026 to press British businesses to harden networks and prepare to recover quickly when defenses fail. (abcnews.com) At the same time, security teams are dealing with supply-chain attacks, where hackers poison trusted software so victims install the malware themselves during routine updates. That is what happened on March 30 and March 31, when attackers used a compromised npm maintainer account to publish backdoored versions of the widely used Axios JavaScript library. (elastic.co) Elastic Security Labs said the attacker pushed axios versions 1.14.1 and 0.30.4, which were tied to the package’s “latest” and “legacy” channels, so many fresh installs would fetch the malicious code by default. Elastic said its automated supply-chain monitoring caught the attack during a 39-minute window and flagged malware for macOS, Windows and Linux. (elastic.co) Singapore’s Cyber Security Agency issued an advisory telling organizations to check whether they installed the affected Axios releases and to assess systems for compromise. Datadog Security Labs separately said the hijacked package delivered a remote-access trojan, giving attackers a foothold across multiple operating systems. (csa.gov.sg, securitylabs.datadoghq.com) Another strand of the same problem is showing up on phones. ESET said on April 21 that a new NGate malware variant hid inside a trojanized version of HandyPay, an Android app used to relay near-field communication, the short-range radio system behind tap-to-pay cards and phones. (eset.com) ESET said the campaign has targeted Android users in Brazil since November 2025 and lets attackers steal card data, capture PINs and use the information for contactless payments or ATM cash-outs. The company said the malicious changes to HandyPay appeared likely to have been generated with generative artificial intelligence tools. (welivesecurity.com) The common thread is trust: governments are warning about state-linked intrusions while defenders are also chasing attacks hidden inside code libraries, app updates and legitimate developer accounts. The result is a cyber playbook that now puts as much weight on resilience, monitoring and recovery as on keeping intruders out in the first place. (govinfosecurity.com, ncsc.gov.uk)