Startup Accused Of Helping Fake Privacy and Security Audits

Compliance Startup Audit-Faking Claims, Trivy Supply-Chain Backdoor, Russia Targets Signal/WhatsApp, and Iran-Linked Stryker Disruption

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at Meter.com/cst

This episode covers allegations that Y Combinator-backed compliance startup Delve helped customers fake privacy and security audits by generating fabricated evidence that auditors then rubber-stamped, alongside Delve's denial and a report of sensitive Delve data being externally accessible. It also details a TeamTNT/Team PCP-style supply-chain compromise of Aqua Security's Trivy scanner via GitHub build and tag tampering, briefly distributing a backdoored release that stole cloud credentials, SSH keys, tokens, and more, with guidance to treat affected environments as fully compromised and rotate secrets. The FBI and CISA warn of Russian intelligence-linked phishing targeting Signal and WhatsApp accounts through social engineering and malicious QR codes. Finally, it describes the real-world impact of an Iran-linked Handala cyberattack on Stryker, disrupting custom implant logistics and delaying surgeries.

00:00 Sponsor Message Meter 00:18 Headlines Overview 00:48 Delve Audit Allegations 03:27 Trivy Scanner Backdoor 06:01 Russian Phishing Signals 08:54 Stryker Attack Fallout 11:30 Wrap Up And RSAC 11:48 Sponsor Message Meter