For five months, anyone with a Companies House login could access the private dashboard of any of the five million registered UK companies. Home addresses. Dates of birth. Email addresses. All the personal data fraudsters need to impersonate a director, open accounts in your company's name, or reroute your banking. Not by hacking. Not by sophisticated exploit. By pressing the back button. That is the entirety of the technical skill required. The government body responsible for the UK's corporate register sat on this vulnerability from October 2025 until 13 March 2026. If you are a company director, read this now.

Microsoft's Defender Experts published research yesterday on a campaign called Contagious Interview. Attackers pose as recruiters, walk your developers through a convincing fake job interview, then get them to clone and run a malicious code repository. The moment they do, your cloud credentials, API tokens, signing keys, and password manager databases are on their way out the door.

This campaign has been running since at least December 2022. Your developers are the target. Your infrastructure is the prize. And the attack is sophisticated enough that even technically sharp people fall for it. Here is what you need to know.

Microsoft shipped March 2026 Patch Tuesday on 10 March with no actively exploited zero-days. And I can already hear the conversation in the finance department: "Quiet month, push it to next quarter." Wrong.

This month's release covers six Windows elevation-of-privilege flaws that Microsoft itself rates as Exploitation More Likely, a critical Excel bug that can hijack Copilot Agent to exfiltrate data with near zero user interaction, and two Office remote code execution issues that fire through the Preview Pane. Quiet months are when attackers catch you napping. Get the cumulative update applied. This week.

Hello, Mauven here. Yesterday, Dutch military and domestic intelligence confirmed what European security agencies have been circling for weeks:

Russian state-sponsored hackers are running a large-scale global campaign to take over Signal and WhatsApp accounts. Not by breaking the encryption.

By asking for the keys. Two governments have now issued formal warnings. Dutch officials have confirmed their own employees are among the victims.

And the attack method is devastatingly simple. If your business uses WhatsApp, and most UK small businesses do, this concerns you directly.

Here is what is happening, how it works, and what you need to do before this afternoon.

I spent time with Mauven this week working through the Unit 42 Global Incident Response Report 2026. Seven hundred and fifty incident response engagements. Fifty-plus countries. Real cases. The headline statistic, 89% of investigations involving identity as a material factor, is striking.

But it's not the number that should concern you most. It's what that number tells us about where organisations are spending their security budgets versus where attackers are actually operating.

They are not in the same place. That gap is the problem. And it is one that UK small businesses are exceptionally well-positioned to close, if they choose to.

Last week, researchers proved something that should make every small business owner put down their coffee. Your Wi-Fi guest network, the one you set up so visitors don't touch your business systems, doesn't actually protect you. A new attack called AirSnitch lets anyone already on your network spy on every device connected to the same physical router, regardless of which network name they joined, regardless of whether you're running WPA2 or WPA3. Every single router tested failed. Here's what it means, explained without the jargon, and what you need to do before your next client walks through the door.

Switzerland looked at Palantir and said no. The UK leaned in. That should worry you. Your business runs on the same US owned platforms that governments argue about. Email, files, chat, identity, backups. The CLOUD Act means a provider can face legal demands for data, even when the servers sit outside the US. UK hosting does not always mean UK control. This teaser sets up the real question: if access rules changed tomorrow, could you prove who can touch your data, and how you would know?

Could you answer that today?

That TP-Link router you bought because it was £40 cheaper than the alternatives? Two days ago, the state of Texas sued the manufacturer for allegedly handing the Chinese Communist Party access to Americans' devices.

A US federal ban is on the table. Sixteen thousand routers worldwide have already been conscripted into a Chinese state-sponsored attack network. And the UK? Doing absolutely nothing.

This isn't paranoia. This is documented, court-filed, backed-by-three-US-federal-departments reality. Here's what you need to know, and what you need to do, before this becomes your problem.

Three hundred and ninety-three days. That's how long Chinese state hackers camped inside defence networks before anyone bloody noticed. Over a year. Reading emails. Mapping systems. Making themselves at home while everyone assumed the firewall was doing its job. Google just published the receipts, and the uncomfortable truth is this: manufacturing is the most targeted sector on ransomware leak sites.

Not banks. Not hospitals. Factories. Your VPN appliance is the front door nobody's watching, and the attackers know it better than your MSP does. This week, Mauven MacLeod and Dr Corrine Jefferson tear apart Google's report and hand you a 90-day survival plan.

Your business just plugged an AI chatbot into its website, an AI assistant into email, or a coding copilot into your dev team. Congratulations.

You may have just installed a backdoor. A landmark research paper from Bruce Schneier, Ben Nassi, and their colleagues has mapped a full malware kill chain for AI systems. They call it promptware.

It is not theoretical. Twenty-one documented attacks already cross four or more stages of this kill chain, in live production systems. The NCSC agrees the threat is being catastrophically underestimated. Pull up a chair. This one is going to sting.

Graham here. Microsoft dropped six actively exploited zero-days on us yesterday, three of them publicly disclosed before the patch even landed. That means attackers had working exploits before you had fixes.

Three bypass your security warnings entirely. One gives SYSTEM access through Remote Desktop Services. CrowdStrike confirmed active abuse in the wild. Meanwhile, SAP shipped a CVSS 9.9 code injection flaw and Adobe patched 44 vulnerabilities across nine products.

If your patching approval process takes longer than 48 hours, you are giving attackers a documented, step-by-step guide to your network. Here is what to patch first.

Google just dropped a report that should make every UK business owner physically uncomfortable. Chinese state-sponsored hackers have exploited more than two dozen zero-day vulnerabilities in VPNs, routers, and firewalls since 2020. From ten different vendors. The average time they sit inside your network before anyone notices? 393 days. Over a year of unfettered access.

And if you think "I'm not a defence contractor, this doesn't affect me," think again. Manufacturing has been the single most targeted sector on ransomware leak sites since 2020. Your edge devices aren't protecting you. They're welcoming nation-states straight through the front door.

Russia's Sandworm hacking group just attempted the largest cyber attack on Poland's energy infrastructure in years, deploying custom wiper malware called DynoWiper against 30 wind farms, solar installations, and a heat plant serving half a million people. The attack failed, but only barely. The NCSC is now warning UK critical infrastructure operators to act immediately. If you think nation-state attacks on power grids are somebody else's problem, think again. Every UK business sitting in those supply chains just became a potential stepping stone for the next Sandworm operation.

Four concurrent cyberattack campaigns hit last week. Russian military intelligence weaponised a critical Microsoft Office vulnerability within 24 hours of the patch dropping. Commodity criminals started selling the same capability for £50 a month. A Chinese-linked group compromised Notepad++ updates for six months. Three separate macOS infostealer campaigns ran simultaneously. And while all of that was unfolding, the UK's biggest data protection law change since Brexit went live with 48 hours' notice. Cookie fines jumped from £500,000 to £17.5 million overnight. We broke all of it down in this week's episode.

The acting head of America's cybersecurity agency just uploaded government secrets to ChatGPT. Meanwhile, a Dublin IT manager discovered £18,000 worth of unused incident response services sitting in his cyber insurance policy. Passkeys can eliminate phishing attacks completely. And those viral Trump cloud cartoons? They're exposing the infrastructure dependency crisis threatening UK businesses. Four critical cybersecurity stories. Three expert guests. 45 minutes that could transform how your business approaches security. This isn't your typical cybersecurity podcast. Listen now.

The Apple App Store feels safe. That is the story many people tell themselves. Firehound and Vulnu show why that comfort can be dangerous. Researchers have flagged this week insecure iPhone apps that expose user data through badly secured cloud storage. Some leak private chats, email addresses, and location traces. Many of these apps look polished and carry strong ratings. That is the trap. In this guest post, Corrine Jefferson explains how slop apps slip through review, why AI apps raise the stakes, and what you can do today to cut your risk. What is on your phone right now?

UK Government's shocking admission: cyber risk critically high, 28% legacy systems vulnerable, 2030 targets unachievable. The numbers are damning.

You've got MFA turned on. Authenticator app, text codes, the lot. You think you're protected. Now picture this: your finance director clicks a legitimate-looking link, signs in, approves the MFA request like always, and boom—an attacker just stole her session token. Full access to Microsoft 365. No more MFA prompts needed. Welcome to 2026, where adversary-in-the-middle attacks surged 146% in the past year. Nearly 40,000 incidents daily. Your traditional MFA? Doing precisely nothing to stop them. Time to talk about phishing-resistant authentication before your competitor gets breached instead of you.

Three Mile Island. You remember it, right? The 1979 nuclear accident that terrified an entire generation and effectively killed nuclear power plant construction in America for 40 years?

Microsoft just spent $1.6 billion to restart Unit 1. Not for clean energy virtue signaling. Because they're bloody desperate.

Google committed to 500 megawatts of Small Modular Reactors. Amazon's all-in on multiple nuclear projects. Meta wants up to 4 gigawatts.

Billions in nuclear investment. Timeline: 2028 to 2035 delivery.

Meanwhile, AI's energy demands are immediate and accelerating. And you're paying for every watt through exploding cloud bills.

They're growing brain tissue in Swiss laboratories and using it to process information. Not simulations. Actual living human neurons, derived from skin cells, housed in specialized chambers, connected to electrodes, computing.

FinalSpark's Neuroplatform has 16 brain organoids containing roughly 160,000 neurons total. Each organoid interfaces with 8 electrodes sampling at 30 kHz. The system has operated continuously for four years, testing over 1,000 organoids, collecting 18 terabytes of data.

The peer-reviewed research is published. Nine universities have free access. You can watch neurons computing in real-time on their website.

This is happening right now. Not science fiction. Science fact.