#NSBCS.122 - From the Desk of the CEO | Alerts Are Easy. Decisions Are What Matter.
Rethinking the role of the SOC in a decision-driven cyber landscape
Over the past few months, I’ve spent a lot of time in the trenches, with clients, in the middle of incidents, and in boardrooms trying to make sense of what’s actually changing in cyber right now.
And there’s a pattern emerging.
We’ve built Security Operations Centres that are incredibly good at detecting things… but not nearly as good at helping organisations decide what to do next.
That’s the uncomfortable truth.
Somewhere along the way, the SOC became an alert factory. More tools, more noise, more dashboards, all optimised for activity, not outcomes. And we’ve just accepted that as “normal”.
It shouldn’t be.
Because cyber defence isn’t a detection problem anymore. It’s a decision problem.
When something goes wrong, and it will, no one is asking how many alerts you processed that day. They’re asking: Do we understand what’s happening? What do we do next? And how quickly can we act?
This is where things are starting to shift. AI will absolutely play a role, not as a silver bullet, but as a force multiplier. Helping cut through noise, surface what matters, and support faster, more confident decisions when the pressure is on.
But technology alone won’t fix this.
From where I sit, the organisations that will win over the next few years aren’t the ones with the most tooling or the biggest SOCs, they’re the ones that can make better decisions, faster, when it counts.
That’s exactly what we’ve been rethinking.
If you’re running a SOC, or relying on one, now’s the time to ask whether it’s actually helping you make better decisions, or just creating more noise.
What we read this week
Official SAP npm Packages Compromised in Credential-Stealing Supply Chain Attack - Security researchers have uncovered the compromise of several official SAP-related npm packages downloaded over 1.1 million times monthly, which threat actors modified to include infostealer malware capable of harvesting credentials and sensitive development data. The attack, which surfaced on 28 April 2026, exploited the trust in legitimate open-source dependencies used widely in enterprise applications and cloud environments. Attackers inserted malicious code that activated upon installation, exfiltrating data to attacker-controlled servers without triggering common package integrity checks. This incident highlights the growing sophistication of software supply-chain attacks targeting high-value development ecosystems. Organisations should immediately audit npm dependencies for affected SAP packages, enforce strict code signing and SBOM verification, isolate development environments, and implement runtime behavioural monitoring to detect anomalous package behaviour.
New Wave of DPRK Attacks Deploys AI-Inserted npm Malware via Fake Firms and RATs - North Korean-linked threat actors have escalated operations with a fresh campaign inserting AI-generated malicious code into npm packages, combined with social engineering through fabricated companies and remote access trojans. Observed in attacks since late April 2026, the tactics target developers and organisations in technology and finance sectors, achieving initial access before deploying persistent RATs for data exfiltration and further compromise. The use of AI to craft convincing malicious payloads has markedly improved evasion against traditional scanners. Organisations are advised to verify the legitimacy of open-source contributions and job-related contacts, enforce multi-factor authentication on developer accounts, implement dependency scanning with AI-assisted threat detection, and restrict npm installations to approved registries only.
CISA Adds Multiple Vulnerabilities to Known Exploited Vulnerabilities Catalogue - CISA has updated its Known Exploited Vulnerabilities catalogue with two new entries on 28 April 2026 (following four additions on 24 April), including flaws under active exploitation that affect widely deployed enterprise software and networking components. The additions mandate federal agencies to remediate within tight deadlines and serve as a critical alert for all organisations running affected systems. Exploitation has been confirmed in ransomware and espionage campaigns targeting both public and private sectors. Organisations should prioritise immediate patching of listed vulnerabilities, restrict internet exposure of affected services, enable comprehensive logging on endpoints and network perimeters, and integrate the KEV catalogue into automated vulnerability management processes to minimise exploitation windows.
US and UK Authorities Warn Firestarter Backdoor Malware Persists Despite Patching - Joint guidance from US and UK cybersecurity authorities highlights the Firestarter backdoor, which continues to operate on compromised systems even after vendors issue patches for the underlying vulnerabilities. The malware, observed in campaigns since mid-April 2026, establishes persistent access through stealthy mechanisms that evade standard remediation efforts, primarily targeting critical infrastructure and government networks. Its resilience stems from advanced persistence techniques that survive reboots and updates. Organisations should conduct thorough forensic reviews of patched systems using specialised detection tools, implement network segmentation and behavioural analytics, monitor for anomalous outbound connections indicative of backdoor activity, and adopt zero-trust principles to limit the impact of surviving implants.
Fresh Wave of GlassWorm VS Code Extensions Targets Supply Chain via Malicious Extensions - Researchers have identified a new surge in GlassWorm-themed attacks abusing Visual Studio Code extensions to infiltrate developer workstations and propagate through supply chains. The campaign, active throughout the past week, delivers trojanised extensions that harvest credentials, inject malware, and facilitate lateral movement into corporate environments. With VS Code’s widespread adoption in software development, the risk of downstream compromise across thousands of applications is significant. Organisations should enforce strict extension approval policies, scan all VS Code marketplace downloads with advanced threat intelligence, implement endpoint detection for anomalous extension behaviour, and educate developers on verifying publisher authenticity before installation.
Referenceshttps://thehackernews.com/2026/04/sap-npm-packages-compromised-by-mini.htmlhttps://thehackernews.com/2026/04/new-wave-of-dprk-attacks-uses-ai.htmlhttps://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-cataloghttps://www.cybersecuritydive.com/news/us-uk-authorities-firestarter-backdoor-malware-patching/818531/https://www.darkreading.com/application-security/fresh-glassworm-vs-code-extensions-supply-chain