Jordan: A trusted open-source security scanner becomes the weapon. A North Korean social engineering operation compromises one of the most downloaded JavaScript libraries on earth. And the European Commission loses 340 gigabytes of data because of it. That's where we are on Friday, April 3rd, 2026. This is Cleartext.

Alex: Welcome back. I'm Alex Chen. Jordan Reeves is with me as always. If this week felt like a stress test for every assumption you've built your security program on, you're not wrong. Supply chain attacks are cascading into real-world breaches at institutional scale. Iranian hackers are wiping medtech infrastructure. Akira ransomware is encrypting your environment before your SOC finishes its first cup of coffee. We're going to get into all of it—the Stryker attack, the Axios compromise, the European Commission breach, a confirmed FBI system hack, and a few other things that should be on your radar going into the weekend. Let's get into it.

Jordan: Let's start where the week's gravity is pulling us—supply chain. Because what looked like a collection of separate incidents is resolving into something much more coherent and much more alarming. Google's researchers are now warning that hundreds of thousands of stolen secrets could be circulating from coordinated attacks hitting Axios, Trivy, LiteLLM, KICS, and Telnyx. We're not talking about isolated opportunistic hits. We're talking about a coordinated campaign targeting the infrastructure developers trust implicitly.

Alex: And the Axios story is the one that every CISO with a JavaScript-heavy stack needs to stop on. UNC1069—North Korean threat actors—didn't find a zero-day. They socially engineered a human being. The maintainer of one of the most widely used HTTP client libraries in the ecosystem. They approached him posing as a company founder, built trust, and then used that access to compromise the package. This is a nation-state investing in the long game of developer trust networks.

Jordan: The technical vector here is almost secondary. The real story is the attack surface: open-source maintainers who are often individuals, often underfunded, and absolutely not trained to recognize a tailored North Korean influence operation. Jason Saayman, the Axios maintainer, said the social engineering was crafted specifically to him. That's not a phishing blast. That's intelligence work.

Alex: So the immediate action items here are not abstract. If your environment uses Axios—and it almost certainly does—you need to audit your dependency versions, check your SBOM, and assume any secrets that passed through that package during the compromise window may be circulating. Same applies to Trivy users, which brings us directly to the European Commission.

Jordan: CERT-EU has confirmed that ShinyHunters, operating as part of TeamPCP, breached cloud infrastructure underpinning websites across thirty-plus EU entities via the compromised Trivy supply chain. Three hundred forty gigabytes exfiltrated. Names, usernames, email addresses, personal data across the bloc. And here's what keeps me focused on this one—Trivy is a security scanning tool. Its entire job is to find vulnerabilities. The attackers compromised the thing you use to check for compromise.

Alex: That's the sentence I want every board member to sit with. Your security toolchain is an attack surface. Your scanners, your monitoring agents, your pipeline integrations—all of it requires the same scrutiny you apply to your production applications. If you haven't done a trust audit of your DevSecOps tooling, that's not a theoretical gap anymore. It's a documented, exploited vector at institutional scale.

Jordan: Now let's shift gears to Stryker—because this one hits differently in terms of threat actor motivation. The Handala group, Iranian-linked, claimed responsibility for a wiper attack against one of the world's largest medical technology companies. Not ransomware. A wiper. The goal wasn't money. It was destruction.

Alex: Three weeks to recover. Think about what that means operationally for a medtech company. These are not systems running e-commerce transactions. This is infrastructure that connects to hospitals, to surgical equipment supply chains, to clinical environments. The decision Stryker's leadership had to make about what to communicate to healthcare customers during that three-week window—that's a board-level crisis, not a security team problem.

Jordan: Handala has been increasingly active and increasingly sophisticated. This is part of a broader Iranian strategic posture that targets companies with perceived connections to Western or Israeli interests. CISOs in the healthcare and medtech space specifically need to update their geopolitical threat models. If you've been treating Iranian threat actors as primarily a financial sector concern, this week tells you that's outdated.

Alex: And let me add the regulatory dimension. For healthcare companies under HIPAA and increasingly under NIS2 if you have EU operations, a three-week recovery from a wiper event is going to draw scrutiny. Regulators don't just care about data exposure—they care about operational resilience. Your incident response plan and your recovery time objectives need to be defensible to a regulator, not just functional in a tabletop.

Jordan: From one speed problem to another. Halcyon's research on Akira ransomware. Sub-one-hour dwell time from initial access to full encryption. That number breaks most detection-and-response assumptions that exist in enterprise security programs today. The industry has been building IR playbooks around hours of dwell time. That window is gone.

Alex: The practical implication is that your automated containment has to fire before a human analyst has fully assessed the alert. That's uncomfortable for a lot of organizations, because automated response carries its own risks—false positives, business disruption. But you have to make that tradeoff decision now, explicitly, before Akira makes it for you. And the detail about Akira investing in functional decryptors matters too—it tells you this group is running a professional operation optimized for payment. They want your money, not your headlines.

Jordan: Quick note on the breach roundup this week, because the context matters more than any single item. Federal authorities confirmed a major hack of an FBI system. Lloyds had 450,000 individuals exposed. The Dutch Treasury was breached. A Citrix flaw is being actively exploited. What's the connective tissue? Even the hardest targets are falling. If you're still running a prevention-dominant security model, these are your weekly data points that the assume-breach posture isn't paranoia—it's just accurate.

Alex: And on the Paragon spyware confirmation—ICE has now officially acknowledged purchasing and deploying Paragon's capability. Congressional Democrats are pushing back, but the capability exists and is being used domestically. For CISOs, especially those in industries with politically sensitive profiles or organizations whose executives travel internationally or deal with immigration policy, enterprise mobile security needs to be evaluated in this context. Commercial spyware is no longer a foreign government problem. It's a domestic procurement reality.

Jordan: Thirty seconds on Linx—fifty million dollars raised for an AI-driven identity governance platform. The market signal is clear: identity remains the primary attack vector, and the proliferation of AI agents is creating governance gaps that legacy IGA tools weren't designed to handle. If your identity program doesn't have a strategy for non-human identities and AI agents, that's now a funded, competitive space. Worth a look.

Alex: Let's land the week. Jordan, what's the theme you're carrying into next week?

Jordan: The weaponization of trust. Not vulnerability exploitation—trust exploitation. Maintainers, open-source tools, security scanners. The entire software supply chain runs on chains of trust that were never designed to be adversarially stress-tested by nation-states. We're watching that assumption collapse in real time.

Alex: My takeaway for the board conversation next week is simple: the perimeter of your organization now extends to every developer whose code you've ever pulled from a public registry, and every security tool you've ever integrated into your pipeline. That's your attack surface. The week's events are a forcing function to go have that conversation and get the resources to address it seriously.

Jordan: Quantify it, prioritize it, and don't wait for the next Trivy.

Alex: That's Cleartext for Friday, April 3rd, 2026. If you found this useful, share it with a peer who needs it. We're back Monday. Stay sharp.