Cybersecurity Today – “Startup Accused Of Helping Fake Privacy and Security Audits”
Host: David Shipley
Date: March 23, 2026
Episode Overview
This episode dives into four key cybersecurity threats making headlines: allegations against compliance startup Delve for faking privacy and security audits, the hijacking of a popular vulnerability scanner (Trivi), Russian phishing threats targeting encrypted messaging accounts, and the profound human fallout from the Iranian cyberattack on medical device maker Stryker. Host David Shipley unpacks these stories with direct language and clear calls to action for security professionals and everyday users alike.
Key Discussion Points & Insights
1. Compliance Startup Delve Accused of Faking Security Audits
- Allegations: Delve, a Y Combinator-backed compliance startup, is accused of helping hundreds of clients fake compliance audits, exposing them to legal/regulatory risks under HIPAA and GDPR.
- Source: Anonymous ‘Deep Delver’ via Substack post, reported by TechCrunch’s Anthony Ha.
- Details of Allegations:
- Delve allegedly supplied fabricated evidence of processes, meetings, and tests.
- Two audit firms (mainly based in India) reportedly “rubber stamped” pre-written reports by Delve.
- Deep Delver: “‘Instead of auditors reviewing the evidence, Delve was writing the reports and handing it over to auditors to rubber stamp.’” [01:53]
- Delve’s Response:
- Denies issuing compliance reports, says it only automates evidence collection for auditors.
- Claims provided templates aren’t equivalent to fabricated evidence.
- Security Issues:
- After TechCrunch exposé, researcher Jamison O’Reilly found external exposure of Delve’s sensitive data, including background checks and equity schedules.
- Delve is investigating potential data leaks.
- [00:19–04:20]
2. Trivi Vulnerability Scanner Hijacked in Supply Chain Attack
- Incident: Malicious actors (Team PCP) compromised the GitHub build process of Aqua Security’s Trivi scanner, releasing a backdoored version and tampering with version tags.
- Impact:
- Malicious code ran before any legitimate scan for users pulling affected versions.
- Stolen data included SSH keys, cloud credentials, API tokens, passwords, shell history, and even cryptocurrency wallets.
- Data was exfiltrated to a domain masked as legitimate.
- Chain of Events:
- Prior credential breach at Aqua Security on March 1 led to hasty key rotation. Attackers exploited incomplete credential rotation by stealing a refresh token.
- The backdoored release was live for about 3 hours; compromised tags active up to 12 hours.
- Host’s Security Guidance:
- “If your organization used affected versions of Trivi during the window, treat your environment as fully compromised. Rotate everything — cloud credentials, SSH keys, API tokens, database passwords…” [06:23]
- Emphasizes full and coordinated remediation after a breach.
- Follow-up Attack:
- Team PCP later launched a worm targeting NPM packages, harvesting tokens to propagate further.
- [04:20–07:14]
3. Russian Intelligence Phishing Campaigns Targeting Signal & WhatsApp
- Targeted Individuals: US and global high-value targets (government, military, journalists).
- Attack Vector:
- Old-school phishing — impersonating support services, soliciting verification codes or PINs, or tricking victims into scanning malicious QR codes.
- No exploitation of Signal/WhatsApp’s encryption or core software.
- Techniques Used:
- Gaining account control (by harvesting codes), or silently linking attacker devices to victim’s account (via QR codes).
- Notable Quote & Guidance:
- “Signal has been direct about this. Their support team will never initiate contact through in app messages, SMS, or social media, and they will never ask for a verification code or pin. If anyone does, it's a scam.” [08:19]
- “Never share your SMS or verification code or PIN with anyone for any reason. Be cautious with unexpected messages from unknown contacts.” [09:02]
- Advice for All:
- Regularly review linked devices in messaging apps; remove unknown devices.
- Broader Implications:
- While currently focused on high-value targets, everyday users are at risk from similar tactics.
- [07:14–10:00]
4. The Human Cost of the Stryker Cyberattack
- Stories Highlighted:
- Amy Forrest: A five-year-old girl’s urgent cranial surgery delayed after her custom Stryker implant was held up due to the attack.
- “Amy Forrest was supposed to have surgery last week... instead, her mother Taylor got the call that the implant was stuck in Germany and the procedure had been pushed...” [10:04]
- Adam Page: Hip surgery postponed after a Stryker rep couldn’t deliver a critical bone graft kit.
- “Paige had already been on medical leave for months. Now he's left wondering how much longer his employer will wait.” [10:41]
- Amy Forrest: A five-year-old girl’s urgent cranial surgery delayed after her custom Stryker implant was held up due to the attack.
- Scope and Attribution:
- The attack, now attributed to Iran’s Ministry of Intelligence (Handala group), disrupted Stryker’s ordering and shipping, impacting medical procedures across the US.
- DOJ seized attack domains, but attackers restored operations quickly.
- Expert Insight:
- Ari Ben Am: “Handala has had dozens of telegram channels, social media accounts and other domains taken down... and it has never slowed them down significantly.” [11:11]
- Big Picture:
- Cyberattacks have tangible, life-altering impacts for real people, not just organizations.
- [10:00–11:45]
Notable Quotes & Memorable Moments
- “Deep Delver puts it bluntly: ‘Instead of auditors reviewing the evidence, Delve was writing the reports and handing it over to auditors to rubber stamp.’” — David Shipley, [01:53]
- “If your organization used affected versions of Trivi during the window, treat your environment as fully compromised. Rotate everything…” — David Shipley, [06:23]
- “Signal has been direct about this... their support team will never... ask for a verification code or pin. If anyone does, it’s a scam.” — David Shipley, [08:19]
- “The Handala story is a good reminder that the impact from cyberattacks don't just stay within computer networks.” — David Shipley, [11:44]
Timestamps — Quick Reference
- 00:19 — Episode start and Delve faked audits story begins
- 01:53 — Delve’s alleged audit process explained
- 04:20 — Trivi vulnerability scanner supply chain attack
- 06:23 — Guidance: Treat affected environments as fully compromised
- 07:14 — Russian intelligence phishing campaigns against messaging apps
- 08:19 — Security reminders for users of Signal & WhatsApp
- 10:00 — The real-world impact of the Stryker cyberattack (patient stories)
- 11:11 — Handala group bounce-back and commentary
- 11:44 — Closing thought: cyberattacks’ impact beyond computers
Summary
David Shipley delivers a brisk, informed rundown of ongoing cybersecurity crises, highlighting risks from dishonest compliance startups to widespread supply chain vulnerabilities, state-sponsored social engineering, and the lived effects of cyber disruptions. Listeners come away with both technical guidance and heartfelt reminders of why cybersecurity matters beyond the server room.