Jordan: Two hundred thousand wiped devices. Two weeks of dead production lines. And the bill goes to Stryker — one of the largest medical device manufacturers on the planet. That's not ransomware. That's a nation-state sending a message. We'll get into who, and what it means for your supply chain, right now.

Alex: Welcome to Cleartext. It's Wednesday, March 25th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we have a dense slate. Iranian wiper malware hits a medical device giant. A major supply chain attack through your security tooling — yes, the tools you use to find vulnerabilities are now the vulnerability. The FCC just banned every foreign-made consumer router. iOS exploits that used to cost nation-states millions are now free on GitHub. And we're going to talk about personal CISO liability, because that conversation is not going away. Let's get into it.

Jordan: Let's start with Stryker, because this one deserves the full treatment. Iranian cyber actors allegedly deployed wiper malware that destroyed more than 200,000 devices inside Stryker's environment. Production lines — for medical devices — went dark for roughly two weeks. Stryker confirmed malware was involved as they ramped back up this week.

Alex: The thing that jumps out to me operationally is the scale of destruction. This wasn't data exfiltration. This wasn't ransomware waiting for a negotiation. Wipers are about pain and disruption. And in a medical device manufacturing context, "disruption" has downstream consequences that go well beyond the company's balance sheet.

Jordan: The attribution to Iranian actors matters for context. We've seen Tehran increasingly willing to conduct destructive operations against sectors they view as strategically or politically significant. And healthcare manufacturing sits at a nexus of US economic power and critical infrastructure. If you're a CISO in manufacturing, defense industrial base, or healthcare supply chain, this is your threat model now. Not hypothetically — operationally.

Alex: For the board conversation, frame it this way: this is what a nation-state attack looks like when it's not trying to steal data. The recovery cost, the reputational damage, the supply chain disruption — that's the actual risk equation your board needs to understand. Not just breach notification liability.

Jordan: Moving to the supply chain story, because this one has a very specific and urgent action attached to it. The TeamPCP campaign has compromised Trivy — the widely-used open-source container vulnerability scanner — and published malicious versions. Mandiant is warning of up to 10,000 downstream victims. The blast radius also includes Checkmarx KICS, VS Code plug-ins, and two specific LiteLLM versions on PyPI — 1.82.7 and 1.82.8 — which were backdoored with credential stealers and Kubernetes lateral movement toolkits.

Alex: This is the attack that security teams have been dreading for years. You're using Trivy because you care about security. You're using it in your CI/CD pipeline, which means it has privileged access to your build environment, your credentials, your Kubernetes clusters. And that's exactly where the attacker planted the flag.

Jordan: The extortion wave that Mandiant is warning about is described as "loud and aggressive." So if you haven't already, today is the day you audit your CI/CD dependencies, check your Trivy versions, and check your LiteLLM deployments. This is not a wait-and-see situation.

Alex: Check your SBOM if you have one. If you don't, this is a compelling use case for getting one.

Jordan: On to the FCC router ban. The commission has added all consumer-grade routers produced outside the United States to its covered list. That's sweeping. The practical universe of affected hardware is enormous, and the supply chain alternatives at that scale basically don't exist yet.

Alex: The intent here is sound. We've watched Chinese state-linked actors — Volt Typhoon being the canonical example — pre-position inside edge devices for years. Routers are a persistent and underdefended attack surface. But the execution of a blanket ban creates real problems for CISOs managing distributed workforces and branch offices at scale.

Jordan: The procurement pipeline question is legitimate. If you're running a hybrid workforce with home office employees or small branch deployments relying on consumer-grade hardware, you need to be thinking about your refresh cycle and your sourcing strategy right now. Because this creates both a compliance question and a practical gap.

Alex: And for anyone in federal contractor space or regulated industries, this goes from advisory to mandatory fast. I'd be talking to your procurement and legal teams this week about what's on your network and what your timeline looks like.

Jordan: Now to the DarkSword leak, because this one shifts the iOS threat model in a meaningful way. A GitHub leak attributed to the DarkSword group has exposed iOS 18 exploits that were previously in the nation-state toolkit — think the kind of capability that used to cost eight figures on the commercial market. Now it's free.

Alex: The phrase researchers are using is "democratization," and I think that's the right frame. The barrier to a sophisticated iOS compromise just dropped dramatically. For CISOs with executive protection programs, BYOD policies, or any high-value targets on iOS — which is most of us — the threat surface just got wider and the adversary pool just got larger.

Jordan: The patch calculus also matters here. If your executives or board members are running unpatched iOS 18 devices, that's not a low-risk posture anymore. Mobile device management and enforced patch policies for high-risk users are now more defensible investments than ever.

Alex: NCSC CEO Richard Horne used his RSA keynote this week to call for a "full court press" against rising cyber threats, and said risks are now of "greater consequence than ever before." I'll say this: when the head of the UK's national cyber agency uses a basketball metaphor at the world's largest security conference, he's trying to communicate urgency to an audience that has become somewhat numb to urgency.

Jordan: The geopolitical subtext is important. The UK has been vocal about Chinese and Russian threat activity targeting critical infrastructure. Horne's comments signal that Western governments are moving toward more coordinated pressure — regulatory, diplomatic, and operational. For global enterprises, that translates into increased regulatory scrutiny on both sides of the Atlantic.

Alex: Let's spend a few minutes on two governance stories that are directly about your role and your future. First, CISO personal liability. The BankInfoSecurity piece this week puts words to something a lot of us have been feeling. Regulators are pursuing personal accountability after major breaches. The SolarWinds CISO situation set a precedent, and it's not isolated.

Jordan: The practical consequence is that some security leaders are changing how they communicate risk upward. And not necessarily in ways that make organizations more secure — in ways that protect them personally. That's a structural problem.

Alex: If you're not already talking to your general counsel about D&O coverage that explicitly covers your CISO function, do that this week. And your reporting structure matters. If you don't have a direct line to the board, that's not just an influence problem — it's a liability exposure.

Jordan: The second governance story is longer-term but significant. Treasury is seeking public comment on whether the Terrorism Risk Insurance Act should be extended to cover catastrophic cyber events. This signals that the federal government is beginning to acknowledge what the private market has been quietly admitting for years — that systemic cyber risk may exceed what commercial insurers can absorb alone.

Alex: If TRIA-style backstop coverage gets extended to cyber, it fundamentally changes the economics of cyber insurance and how we model tail risk. Worth watching closely. Submit a comment if you have a view — these public comment periods actually matter.

Jordan: And briefly — the CVE program. A funding scare earlier this month raised genuine questions about the program's long-term viability. AI-generated vulnerability submissions are straining the system, and international alternatives are emerging. The CVE program is the plumbing of vulnerability management. If it degrades, patch prioritization gets harder, compliance workflows get disrupted, and your downstream tooling gets less reliable.

Alex: This week's theme, if I had to name one, is the compression of risk tolerance. Nation-state tactics that used to be reserved for high-value government targets are now hitting manufacturers, developers, and mobile devices. Regulatory frameworks are hardening. Personal exposure for security leaders is real. The margin for error is shrinking, and the board conversation about resourcing has to reflect that.

Jordan: What I'm watching in the next two weeks: whether the FCC ban triggers formal procurement guidance from CISA for federal contractors, whether Mandiant's downstream Trivy victim count grows materially, and whether we see a secondary wave of extortion tied to that campaign.

Alex: And I'll be watching the TRIA comment process and whether any major cyber insurers weigh in publicly. That'll tell us a lot about where the market thinks systemic risk is headed.

Jordan: That's Cleartext for Wednesday, March 25th. If this episode was useful, share it with a peer. We'll be back tomorrow.

Alex: Stay sharp.