Jordan: Someone backdoored Axios. Not a niche library. Not a package you've never heard of. Axios — downloaded hundreds of millions of times, sitting inside enterprise applications across every industry. Versions 1.14.1 and 0.30.4. If you haven't checked your builds yet, that is the first call you make after this episode.

Alex: It's Tuesday, March 31st, 2026. You're listening to Cleartext. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we have a dense one. Two critical vulnerabilities under active exploitation — Citrix and F5 — that both warrant emergency response. A major supply chain compromise in one of the most widely deployed JavaScript libraries on the planet. Iranian threat actors prepositioning in U.S. critical infrastructure. A $36 million GDPR fine that should be in front of every board's audit committee. And a conversation about CISO personal liability that hits close to home for a lot of people listening. Let's get into it.

Jordan: Let's start with the supply chain story because the blast radius here is significant. On March 30th, an attacker compromised the GitHub and npm accounts of the primary Axios developer. They published backdoored versions — 1.14.1 and 0.30.4 — that pull in a malicious dependency called plain-crypto-js, which drops RATs on Windows, macOS, and Linux. Cross-platform. Automated. This isn't a proof of concept. It's a full exploitation chain.

Alex: The reason this is a nine out of ten story is Axios's ubiquity. This is not a corner-case dependency. It's a default HTTP client in a massive percentage of enterprise JavaScript applications, internal tools, CI/CD pipelines, customer-facing products. The attack surface is enormous and the detection window was short.

Jordan: The immediate action is straightforward: inventory your builds, check your lock files, confirm which versions you're running. But the harder conversation is the one your engineering leadership doesn't want to have — which is that you probably don't have a complete, real-time picture of your transitive dependencies. Most organizations don't. This attack didn't exploit a zero-day in your code. It exploited your trust in an open-source maintainer's account security.

Alex: And that's the supply chain problem in a sentence. You inherit the security posture of every developer whose package you consume. So the board question becomes: what is your software composition analysis coverage, and when did you last validate it end to end?

Jordan: Now let's talk about the two vulnerabilities, because both are actively exploited and both require action this week. CVE-2026-3055, the Citrix NetScaler flaw. CISA has already ordered federal agencies to patch by Thursday. Researchers are drawing direct comparisons to CitrixBleed in 2023, which was one of the most broadly exploited vulnerabilities of that year. The attack extracts sensitive data from ADC and Gateway appliances.

Alex: If you lived through CitrixBleed, you know what that comparison means. It means threat actors are already tooled up. It means the exploitation curve is steep. The standard advice applies: patch immediately, but also run forensics. Don't assume that patching closes the window on a compromise that may already have occurred.

Jordan: Right alongside it — CVE-2025-53521 in F5 BIG-IP. This one was originally disclosed in October as a high-severity denial-of-service vulnerability. It has been reclassified to critical remote code execution, and attackers are actively deploying webshells on unpatched devices. The NCSC has urged immediate action. The reclassification is the key detail here — your team may have triaged this at a lower priority level based on the original disclosure. That calculus has changed completely.

Alex: Both of these are infrastructure-layer vulnerabilities in products that sit at critical control points — network access, load balancing, gateway functions. A webshell on your BIG-IP is a persistent foothold with significant lateral movement potential. This is emergency patching territory, and your SOC needs to be running IOC sweeps on every BIG-IP APM instance in your environment today.

Jordan: Now to the geopolitical layer, and this one has legs. Iranian-linked groups are actively targeting U.S. water systems with what analysts are describing as prepositioned access — meaning they're not necessarily there to cause immediate damage, they're there to be ready. The concern is rapid activation if the geopolitical situation escalates.

Alex: The term prepositioning is doing a lot of work here, and CISOs should understand what it means operationally. This isn't opportunistic scanning. It's deliberate, patient implantation of access that can be weaponized on a timeline that someone else controls. The threat isn't theoretical — it's the difference between a breach you're responding to and a kinetic moment you're not prepared for.

Jordan: The sectors most directly in the crosshairs are water, energy, and adjacent critical infrastructure. But if your organization has any dependencies on municipal water systems, regional energy providers, or industrial supply chains, you have downstream exposure. This is a moment to revisit your third-party risk framework with infrastructure dependencies specifically in mind. And if you're not already subscribed to CISA's critical infrastructure threat feeds, there's no good reason not to be.

Alex: Which connects to our second geopolitical story, because the irony is sharp. The Trump administration chose not to attend RSAC this year — the world's largest cybersecurity conference — at precisely the moment when public-private threat intelligence sharing matters most. Multiple experts are calling it a missed opportunity. I'd call it a structural signal.

Jordan: The intelligence sharing mechanisms that enterprise security teams have relied on — the ISACs, the CISA advisories, the coordinated disclosure pipelines — those don't disappear overnight, but they atrophy when the federal government stops showing up. For CISOs, the practical implication is that you may need to lean harder on commercial threat intelligence and industry peer networks to fill gaps that were previously covered by government partnerships.

Alex: That's a budget conversation and a vendor conversation. File it accordingly.

Jordan: Let's talk about Stryker. Twenty days to restore most manufacturing operations after a March 11 cyberattack. Ordering and shipping disrupted. Significant supply chain dependencies affected. They're a major medtech manufacturer, so the downstream implications include hospitals and surgical supply chains.

Alex: The twenty-day number is what boards need to internalize. Not as a data point about Stryker specifically, but as a reference case for what operational recovery actually looks like in a manufacturing environment. Tabletop exercises that assume a week-long recovery are not calibrated to reality. If you are a CISO at a manufacturer, or if manufacturing is anywhere in your supply chain, your resilience planning should be built around a multi-week disruption scenario, not a multi-day one.

Jordan: Now to governance, and two stories that belong in the same conversation. Italy's data protection authority fined Intesa Sanpaolo — one of Europe's largest banks — $36 million for serious shortcomings in personal data security. Inadequate technical and organizational measures. That language is deliberate and it's GDPR language. This is one of the largest GDPR fines against a financial institution to date.

Alex: The signal for CISOs here is straightforward: regulators have moved past warnings. They're issuing material fines, and they're doing it against well-resourced institutions who presumably had security programs in place. Inadequate technical and organizational measures is a phrase your board's audit committee should be evaluating against your own posture right now. This is exactly the kind of third-party reference point that makes the security investment conversation easier.

Jordan: And that connects directly to the liability piece. BankInfoSecurity ran an analysis today on the growing trend of regulators pursuing personal accountability for CISOs after major breaches. The thesis is that rising personal liability is changing how security leaders report risk — and not for the better. When CISOs are personally exposed, the incentive to surface uncomfortable risk to boards starts to compete with the incentive for self-preservation.

Alex: I'll be direct about this one because it affects everyone listening. The personal liability trend is real. The SolarWinds case, what happened to the Uber CISO — these weren't aberrations. They're shaping the role. And the downstream effect is exactly what that analysis describes: experienced practitioners are walking away, and those who stay are structuring their risk reporting to create documentation trails rather than genuine dialogue. That is bad for organizations and it's bad for the profession.

Jordan: The structural fix requires boards to stop treating the CISO as the designated fall guy and start treating security as a shared governance responsibility. That's a conversation for the general counsel's office, the board, and the CEO — not just the CISO.

Alex: Brief note on the funding side: Oasis Security raised $120 million Series B for non-human identity and AI agent governance. The category is called agentic identity. If your organization is deploying AI agents at scale — and most enterprises are starting to — those agents are acquiring credentials, making API calls, accessing data stores. They are identities, and they are almost certainly outside your current IAM governance framework. Watch this space. The investment validates the problem is real.

Jordan: So what's the theme of the week?

Alex: It's trust degradation across multiple vectors simultaneously. Supply chain trust — Axios. Infrastructure trust — Citrix, F5. Government partnership trust — the RSAC absence. Regulatory trust — the GDPR fine, the liability conversation. These aren't separate stories. They're a composite picture of an environment where the assumptions that enterprise security programs were built on are being stress-tested all at once.

Jordan: The organizations that navigate this period well are going to be the ones that treat threat intelligence as infrastructure, not a line item. That invest in supply chain visibility before the incident. That build board relationships based on honest risk dialogue rather than managed reassurance.

Alex: That's the work. Thanks for listening to Cleartext. If today's episode was useful, share it with a peer. We'll be back tomorrow.

Jordan: Stay sharp.