Jordan: The FBI just seized Iranian hacking infrastructure. A supply chain attack poisoned one of the most trusted tools in your DevSecOps stack. And Russian intelligence has been quietly reading Signal messages for months. It's Monday. Let's get into it.

Alex: Welcome to Cleartext. I'm Alex Chen. Alongside Jordan Reeves, and today's episode is dense in the best possible way. We've got Iranian state actors hitting a major medical device manufacturer, a Trivy supply chain compromise that should have your DevSecOps team on high alert right now, Russian operators undermining executive assumptions about encrypted messaging, and a CISO liability conversation that gets more urgent by the week. Let's go.

Jordan: Starting with Stryker. The Iranian hacking group Handala posted screenshots last week claiming access to Stryker's internal IT systems. The FBI responded by seizing four web domains tied to Iranian hacking operations. The group is connected to Iran's Ministry of Intelligence and Security — MOIS — and the timing isn't incidental. This is happening against the backdrop of escalating Iran-Israel-U.S. tensions, and Handala has been operationally aggressive.

Alex: The Stryker angle matters beyond the headline. This is a global medical device manufacturer deep in hospital supply chains across the country. When you think about the blast radius of a compromise at that level — firmware, device software, procurement systems — you're not just looking at a data breach. You're looking at potential patient safety implications. Healthcare CISOs need to be having conversations right now about their Tier 1 and Tier 2 supplier relationships and what visibility they actually have into those environments.

Jordan: The FBI seizure is meaningful but it's not a deterrent. Iran has rebuilt infrastructure faster than seizures can land. Handala already had a backup site operational. What matters operationally is that MOIS is comfortable targeting critical infrastructure adjacent sectors with public leak campaigns. That changes your threat model if you're in healthcare, defense industrial base, or anywhere near the supply chain that serves those sectors.

Alex: And speaking of state actors undermining assumptions — the FBI and CISA issued a joint warning this weekend about Russian intelligence actively targeting Signal accounts. Thousands of commercial messaging accounts believed compromised. Targets include government personnel, journalists, and people with access to sensitive communications.

Jordan: This is a campaign that's been running longer than the advisory suggests. What's happening technically is a combination of linked device exploitation and phishing flows that bypass the encrypted channel entirely — they're not breaking Signal's encryption, they're compromising the endpoint or the account linkage. The distinction matters because the response isn't "stop using Signal." The response is hardening how you use it.

Alex: Right, and this is a board-level conversation, not just an IT policy memo. Senior executives, board members, general counsel — these are exactly the profile of targets this campaign is interested in. If your organization hasn't issued updated guidance on commercial encrypted messaging — what's approved, what's not, how to configure it, how to detect linked device abuse — that needs to happen this week. The assumption that end-to-end encryption means end-to-end security is exactly the gap these operators are exploiting.

Jordan: Staying in the geopolitical lane but shifting to hardware — Texas Governor Abbott ordered a review of foreign-made connected medical devices in state facilities after Contec and Epsimed patient monitors were found to contain backdoors. Chinese manufacturers, known vulnerabilities, now explicit state-level action.

Alex: What I'd tell CISOs here is don't wait for your governor to issue an order. Texas won't be the last state to do this. If you have connected medical devices — monitors, infusion pumps, imaging equipment — from Chinese manufacturers in your environment, you should be doing that inventory and risk assessment now. Because the regulatory pressure is building and if you're scrambling reactively when your state issues a similar directive, you've already lost the initiative.

Jordan: Shifting gears to something that should be landing in Slack channels across your DevSecOps teams as we speak. Trivy — the open-source container vulnerability scanner that a significant chunk of the industry relies on — was compromised via Docker Hub. Versions 0.69.4, 0.69.5, and 0.69.6 contained infostealers and a Kubernetes wiper component. Last known clean release is 0.69.3.

Alex: This is a textbook supply chain attack, and the reason it scores so high is the target selection. Trivy sits inside CI/CD pipelines. It runs with elevated permissions. It has access to registries, credentials, cluster configurations. If you pulled one of those malicious versions into a production pipeline, you potentially handed attackers credential access and the ability to wipe Kubernetes infrastructure. That's not a theoretical risk.

Jordan: Immediate action: audit every pipeline that pulls Trivy images from Docker Hub, verify you're on 0.69.3 or a verified clean build, and check for indicators of compromise. The malicious versions have been removed from Docker Hub, but if you pulled them before takedown, the damage may already be done. And this is a broader forcing function — your container image provenance controls need to be airtight. Signature verification, pinned digests, not floating tags. This is what "trust but verify" looks like in a DevSecOps context.

Alex: Let's talk about something that hits closer to home for every person listening. Personal CISO liability. The trend is accelerating. Regulators are pursuing individual accountability after major breaches. We've seen it with the SEC, we're seeing it in state enforcement actions, and it's reshaping the role in ways that should concern boards as much as it concerns CISOs.

Jordan: The perverse outcome here is that rising personal liability is making experienced people not want the job. And the people who do take it are either over-insulated by indemnification arrangements that may not hold, or they're adjusting how they report risk upward — which means boards may actually be getting less accurate risk pictures because the CISO is managing liability exposure at the same time they're supposed to be managing risk.

Alex: If you're in this role, you need to be having explicit conversations with your general counsel about D&O coverage — what it covers, what it doesn't, what the conditions are. You need documented evidence that you escalated material risks appropriately. And frankly, your employment agreement needs to address this directly. This isn't paranoia. This is professional risk management. The SolarWinds CISO situation was a warning that some organizations still haven't fully internalized.

Jordan: Two quick items before we wrap. CISA added CVE-2026-20131 to the Known Exploited Vulnerabilities catalog — maximum severity Cisco flaw, actively used in ransomware campaigns. Federal agencies have a mandatory patch deadline. If you're running affected Cisco infrastructure, this isn't a "schedule it next sprint" situation. Treat it as emergency patching priority.

Alex: And a cautionary tale for anyone relying on compliance automation vendors — Delve, a compliance startup, is facing allegations via an anonymous Substack post that it falsely certified hundreds of customers as compliant with privacy and security regulations. The details are still developing, but the pattern is familiar. Compliance-as-a-service platforms that generate paper compliance without substantive controls. If your attestations are built on third-party automation, you need independent verification. The regulator asking questions after a breach is not going to accept "our vendor said we were compliant" as a defense.

Jordan: And Operation Alice — German-led international effort took down over 370,000 dark web sites targeting fraud and cybercrime infrastructure. Significant disruption. But history tells us that when you disrupt large criminal ecosystems, the operators scatter and reconstitute. Watch for displaced threat actors looking for new infrastructure and potentially more aggressive in the near term as they rebuild.

Alex: Zooming out — the theme this week is convergence. Geopolitical tensions are driving state-sponsored operations into sectors that weren't traditionally primary targets. Supply chains are the attack surface. Personal liability is changing how security leaders behave. And the tools your teams trust are not immune to compromise. The week ahead: watch for additional MOIS activity in the wake of the Stryker attention, monitor your Trivy environments closely, and if you're in healthcare, the HIPAA Security Rule overhaul could finalize by May — gap assessments should already be underway.

Jordan: If they're not, start Tuesday.

Alex: That's Cleartext for Monday, March 23rd. We're back tomorrow. If this was useful, share it with someone who needs it. Stay sharp.