In May 2026, malicious code appeared inside packages used across NHS software projects. The software supply chain attack named Mini Shai-hulud by researchers spread through CI/CD systems, package registries, and developer tooling before anyone noticed something was wrong. It was caught quickly. Damage was limited.

The UK's National Cyber Security Centre is using that near-miss to bring into focus a more urgent case. The underlying conditions that made Mini Shai-hulud possible are not unique to that attack, and subsequent similar campaigns have gone undetected for longer and spread far more widely.

The Problem Is Structural

NCSC National Resilience Officer Jack F, is not mainly intere...