Summary5 min read

Cybersecurity Today – “Startup Accused Of Helping Fake Privacy and Security Audits”

Host: David Shipley
Date: March 23, 2026

Episode Overview

This episode dives into four key cybersecurity threats making headlines: allegations against compliance startup Delve for faking privacy and security audits, the hijacking of a popular vulnerability scanner (Trivi), Russian phishing threats targeting encrypted messaging accounts, and the profound human fallout from the Iranian cyberattack on medical device maker Stryker. Host David Shipley unpacks these stories with direct language and clear calls to action for security professionals and everyday users alike.

Key Discussion Points & Insights

1. Compliance Startup Delve Accused of Faking Security Audits

Allegations: Delve, a Y Combinator-backed compliance startup, is accused of helping hundreds of clients fake compliance audits, exposing them to legal/regulatory risks under HIPAA and GDPR.
- Source: Anonymous ‘Deep Delver’ via Substack post, reported by TechCrunch’s Anthony Ha.
Details of Allegations:
- Delve allegedly supplied fabricated evidence of processes, meetings, and tests.
- Two audit firms (mainly based in India) reportedly “rubber stamped” pre-written reports by Delve.
- Deep Delver: “‘Instead of auditors reviewing the evidence, Delve was writing the reports and handing it over to auditors to rubber stamp.’” [01:53]
Delve’s Response:
- Denies issuing compliance reports, says it only automates evidence collection for auditors.
- Claims provided templates aren’t equivalent to fabricated evidence.
Security Issues:
- After TechCrunch exposé, researcher Jamison O’Reilly found external exposure of Delve’s sensitive data, including background checks and equity schedules.
- Delve is investigating potential data leaks.
[00:19–04:20]

2. Trivi Vulnerability Scanner Hijacked in Supply Chain Attack

Incident: Malicious actors (Team PCP) compromised the GitHub build process of Aqua Security’s Trivi scanner, releasing a backdoored version and tampering with version tags.
Impact:
- Malicious code ran before any legitimate scan for users pulling affected versions.
- Stolen data included SSH keys, cloud credentials, API tokens, passwords, shell history, and even cryptocurrency wallets.
- Data was exfiltrated to a domain masked as legitimate.
Chain of Events:
- Prior credential breach at Aqua Security on March 1 led to hasty key rotation. Attackers exploited incomplete credential rotation by stealing a refresh token.
- The backdoored release was live for about 3 hours; compromised tags active up to 12 hours.
Host’s Security Guidance:
- “If your organization used affected versions of Trivi during the window, treat your environment as fully compromised. Rotate everything — cloud credentials, SSH keys, API tokens, database passwords…” [06:23]
- Emphasizes full and coordinated remediation after a breach.
Follow-up Attack:
- Team PCP later launched a worm targeting NPM packages, harvesting tokens to propagate further.
[04:20–07:14]

3. Russian Intelligence Phishing Campaigns Targeting Signal & WhatsApp

Targeted Individuals: US and global high-value targets (government, military, journalists).
Attack Vector:
- Old-school phishing — impersonating support services, soliciting verification codes or PINs, or tricking victims into scanning malicious QR codes.
- No exploitation of Signal/WhatsApp’s encryption or core software.
Techniques Used:
- Gaining account control (by harvesting codes), or silently linking attacker devices to victim’s account (via QR codes).
Notable Quote & Guidance:
- “Signal has been direct about this. Their support team will never initiate contact through in app messages, SMS, or social media, and they will never ask for a verification code or pin. If anyone does, it's a scam.” [08:19]
- “Never share your SMS or verification code or PIN with anyone for any reason. Be cautious with unexpected messages from unknown contacts.” [09:02]
Advice for All:
- Regularly review linked devices in messaging apps; remove unknown devices.
Broader Implications:
- While currently focused on high-value targets, everyday users are at risk from similar tactics.
[07:14–10:00]

4. The Human Cost of the Stryker Cyberattack

Stories Highlighted:
- Amy Forrest: A five-year-old girl’s urgent cranial surgery delayed after her custom Stryker implant was held up due to the attack.
  - “Amy Forrest was supposed to have surgery last week... instead, her mother Taylor got the call that the implant was stuck in Germany and the procedure had been pushed...” [10:04]
- Adam Page: Hip surgery postponed after a Stryker rep couldn’t deliver a critical bone graft kit.
  - “Paige had already been on medical leave for months. Now he's left wondering how much longer his employer will wait.” [10:41]
Scope and Attribution:
- The attack, now attributed to Iran’s Ministry of Intelligence (Handala group), disrupted Stryker’s ordering and shipping, impacting medical procedures across the US.
- DOJ seized attack domains, but attackers restored operations quickly.
Expert Insight:
- Ari Ben Am: “Handala has had dozens of telegram channels, social media accounts and other domains taken down... and it has never slowed them down significantly.” [11:11]
Big Picture:
- Cyberattacks have tangible, life-altering impacts for real people, not just organizations.
[10:00–11:45]

Notable Quotes & Memorable Moments

“Deep Delver puts it bluntly: ‘Instead of auditors reviewing the evidence, Delve was writing the reports and handing it over to auditors to rubber stamp.’” — David Shipley, [01:53]
“If your organization used affected versions of Trivi during the window, treat your environment as fully compromised. Rotate everything…” — David Shipley, [06:23]
“Signal has been direct about this... their support team will never... ask for a verification code or pin. If anyone does, it’s a scam.” — David Shipley, [08:19]
“The Handala story is a good reminder that the impact from cyberattacks don't just stay within computer networks.” — David Shipley, [11:44]

Timestamps — Quick Reference

00:19 — Episode start and Delve faked audits story begins
01:53 — Delve’s alleged audit process explained
04:20 — Trivi vulnerability scanner supply chain attack
06:23 — Guidance: Treat affected environments as fully compromised
07:14 — Russian intelligence phishing campaigns against messaging apps
08:19 — Security reminders for users of Signal & WhatsApp
10:00 — The real-world impact of the Stryker cyberattack (patient stories)
11:11 — Handala group bounce-back and commentary
11:44 — Closing thought: cyberattacks’ impact beyond computers

Summary

David Shipley delivers a brisk, informed rundown of ongoing cybersecurity crises, highlighting risks from dishonest compliance startups to widespread supply chain vulnerabilities, state-sponsored social engineering, and the lived effects of cyber disruptions. Listeners come away with both technical guidance and heartfelt reminders of why cybersecurity matters beyond the server room.

Loading summary

Transcript3 lines

[00:00]
A
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them@meter.com CST a compliance
[00:19]
B
startup accused of helping hundreds of customers fake their way through security audits, a popular vulnerability scanner turned against the people using it, Russian intelligence targeting signal and WhatsApp accounts, and the real human cost of the Iranian cyber attack on Stryker. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. A compliance startup is facing serious accusations that it helped hundreds of customers fake their way through privacy and security audits, potentially leaving those customers exposed to liability under regulations like HIPAA and hefty fines under Europe's GDPR. Reporting by Anthony Ha at TechCrunch details allegations against Delve, a Y Combinator backed startup that raised $32 million last year at a $300 million valuation. The accusations come from an anonymous substack post written by someone identifying themselves as Deep Delver, end quote, and describing themselves as a former client and saying they and others pooled resources to investigate after a reported data leak raised red flags. They allege Delve achieved its claim of being the fastest compliance platform by generating fabricated evidence of board meetings, tests and processes, then presenting that material to auditors who then rubber stamped the results. Deep Delver puts it bluntly, instead of auditors reviewing the evidence, Delve was writing the reports and handing it over to auditors to rubber stamp. The post also names two audit firms, which Deep Delver claims are part of the same operation, based primarily in India, with only a nominal US Presence and largely just signing off on reports Delve had already prepared. Delve has pushed back, calling the substack post misleading and denying it issues compliance reports at all. The company says it's an automation platform. It collects compliance information and gives auditors access to it, with final reports issued solely by independent, licensed auditors. On the evidence question, Delve says it provides templates to help teams document their processes and that templates are not the same as pre filled evidence. What adds another wrinkle to this story is after TechCrunch published a security researcher reported finding sensitive Delve data, including employee background checks and equity vesting schedules, accessible externally. D? Vun founder Jamison O'Reilly shared details of what was described as several significant security holes in Delve's external attack surface. Delve says it's actively investigating any link a threat actor known as team PCP compromised Trivi's scanner GitHub build process, backdoored version 0.6.9.4 of the scanner and tampered with nearly all version tags in the Trivi action repository. The result? Any workflow pulling from those tags automatically ran malicious code before legitimate scans even started, making the compromise difficult to spot. What were the attackers after? Essentially the kitchen sink, the infostealer swept up SSH keys, cloud credentials for aws, Azure and GCP database passwords, API tokens, CI CD configurations, kubernetes, and docker credentials, VPN configs, shell history, and even for good measure, cryptocurrency wallets. Collected data was encrypted and shipped off to a command and control server designed to look like a legitimate domain. Here's the part that stings this wasn't a zero day. Aqua Security, the company behind Trivi, had already suffered a credential breach on March 1. They did the right thing. They rotated their secrets, but the process wasn't fully locked down and the attackers were apparently able to grab a refresh token before the rotation completed. This attack was a follow up. The malicious release was live for roughly three hours. The compromised GitHub Actions tags were active for up to 12 hours. Researchers also linked Team PCP to a follow up campaign involving a self propagating worm targeting NPM packages, one that can spread across developer environments and CI CD pipelines by harvesting NPM tokens and publishing malicious updates to other packages. If your organization used affected versions of Trivi during the window, treat your environment as fully compromised. Rotate everything cloud credentials, SSH keys, API tokens, database passwords, and review your systems for signs of persistent access. A key point worth noting from this story. Credential rotation after a breach has to be both complete and fully coordinated, rotating everything at once or you risk leaving a door open that attackers can walk back through. The FBI and CISA are warning that threat actors linked to Russian intelligence are running phishing campaigns targeting WhatsApp and Signal accounts, and they're going after some high value targets. Ravi Lakshman at the Hacker News has the details. According to a joint advisory, the campaign is focused on current and former U.S. government officials, military personnel, political figures and journalists globally. The operation has already resulted in unauthorized access to thousands of individual accounts. It's worth being clear about what this attack is and what it isn't. This is not a case of Russian hackers cracking encryption or exploiting a software flaw in Signal or WhatsApp. The platforms themselves haven't been hacked. This is old fashioned social engineering attackers impersonated trusted services like Signal Support to trick targets into handing over verification codes or PINs, or into scanning a malicious QR code, a reminder once more that QR codes can in fact be dangerous. The outcome depends on which method the victim fell for. If someone hands over their PIN or verification code, the attacker uses it to take over the account on their own device, locking the victim out and gaining access to future messages. If the victim clicks a link or scans the QR code instead, a device controlled by the attacker gets silently linked to the account, giving them access to the full message history. While the victim often has no idea anything has happened, Signal has been direct about this. Their support team will never initiate contact through in app messages, SMS or social media, and they will never ask for a verification code or pin. If anyone does, it's a scam. The protections here are straightforward. Never share your SMS or verification code or PIN with anyone for any reason. Be cautious with unexpected messages from unknown contacts. Be careful with links and QR codes, and periodically review the list of linked devices in your messaging apps. Remove anything you don't recognize. Both Signal and WhatsApp make this easy to do in settings. While this campaign appears focused on high value targets for now, these exact same techniques can and will be used on everyday people. Now's a good moment to make sure the people in your life, especially those who might be considered targets, know how these attacks work and know how to protect themselves. Five year old Amy Forrest was supposed to have surgery last week. It was supposed to be her last one, a custom Striker implant to repair parts of her skull damaged when she and her father fell 40ft off a cliff while hiking in 2024. Instead, her mother, Taylor, got the call that the implant was stuck in Germany and the procedure had been pushed to next month. Adam Page, a 42 year old veterinarian, had already been prepped for hip surgery at a Boston hospital when a head nurse told him the procedure couldn't go ahead. A Stryker representative couldn't get the required bone graft kit to them in time. Paige had already been on medical leave for months. Now he's left wondering how much longer his employer will wait. That's the human cost reported by Bloomberg of the March 11 cyberattack on Stryker, one of the world's largest medical device companies. Common Spirit Health, one of the largest hospital systems in the United States, also confirmed that a small number of surgical cases have been rescheduled as a result of the disruption. Stryker says the incident has been contained, its products are safe and it has sufficient inventory for most of its product line. But disruptions to ordering, manufacturing and shipping of custom implants are real, and patients are feeling it. The US Government has now linked the attack to Handala, a hacking unit operating under Iran's Ministry of Intelligence and Security. The DOJ seized four domains associated with the group late last week, Reuters reports. The FBI affidavit supporting those seizures describes probable cause to believe Handala's operators carried out the Stryker attack, which wiped tens of thousands of devices. The impact from those seizures lasted about a day. By Friday, Handala had its websites back up, calling the domain seizures a desperate attempt to silence them. That quick turnaround wasn't surprising to some analysts. Ari Ben Am of the foundation for Defense of Democracies told Reuters that Handala has had dozens of telegram channels, social media accounts and other domains taken down over the years, and it has never slowed them down significantly. The Hondala story is a good reminder that the impact from cyberattacks don't just stay within computer networks. This was Cybersecurity today for Monday, March 23, 2026. I've been your host, David Shipley one quick note. I'll be in San Francisco on Monday and Tuesday covering rsac. If you're there, come say hi. Thanks for listening and stay safe out there.
[11:48]
A
We'd like to thank Meter for their support in bringing you the podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments and even run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses all the way to data centers. Book a demo@meter.com CST that's M E T E R.com CST. IT.