Security Now Episode 1061: "More GhostPosting – RAM Crisis Hits Firewalls"

Date: January 21, 2026
Hosts: Steve Gibson & Leo Laporte

Episode Overview

In this packed and lively episode, Steve Gibson and Leo Laporte examine critical issues facing the cybersecurity world as 2026 kicks off. They take a deep dive into the haunting resurgence of "GhostPoster" browser extension malware, discuss why RAM prices are surging (and how that's shaking up both consumer and enterprise hardware), highlight notable industry moves (like Anthropic's $1.5m support to the Python Software Foundation), and explore legal and policy developments impacting global privacy and security. As always, the hosts weave in their signature playful banter and nostalgia while dropping expert-level insights for both security professionals and keen techies.

Key Discussion Points & Insights

1. RAM Price Surge and Its Effects (18:08)

The Context

Steve kicks off with a warning for enterprises: RAM shortages and price hikes aren’t just a PC-user pain—they're coming for network firewalls and high-end enterprise gear too.
Recent research suggests that leading firewall vendors (Fortinet, Palo Alto, Check Point) will be hit particularly hard.

Highlights

Quote (Steve):
"DRAM prices have been up between 60% and 70% since last year and are expected to grow another 50% in the first quarter of the year alone." [20:25]
AI datacenter demand is gobbling up supply, pushing consumer and security product manufacturers to the back of the line.
"If you know you're going to buy high-end, RAM-intensive network security equipment soon, order now—prices are only going higher," Steve advises. [21:55]

Personal Note

Steve is glad he preemptively bought new servers and RAM for GRC: "Last summer RAM was still amazingly inexpensive. Not so any longer." [22:56]

2. Anthropic's Investment in Python Security (23:26)

Anthropic donates $1.5 million to the Python Software Foundation, earmarked for security upgrades.
Funds will boost proactive, AI-driven scanning of packages on PyPi to thwart supply chain attacks.
Quote (Steve):
"Planned projects include creating new tools for automated proactive review of all packages uploaded to PyPi... deploying AI to examine all newly submitted Python package code." [27:50]
Leo and Steve agree: More organizations making money off open source should fund these projects too.

3. FTC vs. General Motors: Selling Drivers’ Data (29:35)

The FTC orders GM/OnStar to stop selling precise user location and driving data without clear consent. GM also must allow consumers to access and delete their data.
Quote (Steve):
"I would argue strongly that it is not possible to actually consent to something that's never explicitly described and explained, and which probably appears in a purchase agreement’s legalese fine print." [31:45]
Leo: "A lot of insurance companies offer you a reduced rate if you agree to be tracked. I think that's okay." [40:56]
Steve recalls coining “spyware” and how little truly has changed—companies still profit from secret customer tracking.

4. DHS Anchor Council: Government-Industry Cyber Information Sharing (48:45)

New DHS body, ANCHOR (Alliance of National Councils for Homeland Operational Resilience), seeks to replace the disbanded CPAC council for critical infrastructure protection.
Primary sticking point: Does ANCHOR maintain the strong liability shields that made CPAC a success?
Quote (Steve):
"If a fear of the consequences of divulging serious incidents and problems keeps industries silent, which CPAC didn’t... then that would not be good for ANCHOR." [58:52]

5. German Intelligence Law Expansion (59:19)

Steve details pending German legislation greatly expanding surveillance and offensive hacking powers for the BND (German NSA).
New capabilities would include full interception and 6-month storage of all Internet communications, “federal Trojan” malware use, and hacking non-cooperative US tech firms.
Quote (Steve):
"The BND will also be allowed to enter apartments and deploy their Federal Trojan on a target's device. What could possibly go wrong?" [63:01]
Hosts reflect on encryption’s role as the last line of defense—"The math is your friend." [63:42]

6. Ongoing ShinyHunters Attacks: GrubHub Next in Line (68:03)

GrubHub confirms a hack and apparent extortion by the ShinyHunters group, likely leveraging prior Salesforce and Zendesk breaches.
Steve notes the persistent danger of credential theft chains: "The attacks that keep on giving." [70:42]

7. Let’s Encrypt: 6-Day and IP Address Certificates (79:06)

Let’s Encrypt now offers extremely short-lived (6 day) and IP address-based TLS certificates.
Steve explains why: more frequent renewals reduce risk from key exposure but questions the real-world necessity.
Quote (Steve):
"It's the being forced to use shorter life certificates—whether for the web or for code signing—that feels so wrong and regressive to me. I don't need a nanny. Few of us do." [81:54]

8. Iran: Plans for Permanent Internet Disconnection (86:55)

Iran appears to be moving toward a long-term or permanent Internet blackout, gathering up satellite dishes and working to block Starlink.
Steve is skeptical this can work long-term, especially given the nation's youthful population.

9. Listener Feedback and Pro Tips

a. SpinRite SSD Recovery Graphs (93:10)

User Don from South Africa shows before-and-after SSD benchmark charts, demonstrating SpinRite’s ability to restore SSD performance.

b. Roku Advertising ID Secret Menus (96:53)

Secret code to access your Roku’s advertising ID—a practical help for leveraging California privacy laws.

c. MongoDB Exposures in the Cloud (104:02)

Listener Michael ponders if public cloud defaults (auto-public IPs) are to blame for widespread MongoDB leaks.
Steve: "Devices absolutely have to be secure out of the box, and you have to take serious, deliberate action to damage their security." [103:20]

d. Real-World Hack: ScreenConnect Remote Access (104:47)

Listener Bob details a real cyber-attack in which ScreenConnect was used to steal funds while he was away. Steve underscores the importance of biometric authentication for critical transactions.

e. Claude Code and AI Vibe Coding in Practice (120:34)

Listener Rob shares his experience using Claude for rapid software development—even as a non-coder—thanks to AI. Leo offers best-practice tips, noting how AI coding is already transformative.
Quote (Leo):
"This reminds me of first discovering the Internet. It's amazing." [126:02]

Main Segment: The Return (and Scope) of GhostPosting Browser Malware (140:10)

What Is Ghost Posting?

GhostPoster: Malware campaign using PNG icon steganography to sneak JavaScript payloads past browser extension reviews.
Initial Discovery: Koi Security found 17 malicious Firefox add-ons, up to 50,000 users infected.
New Research (LayerX): Attackers also targeted Edge and Chrome, expanding the campaign to over 840,000 installations since 2020!

Tactics & Evolution

Obfuscated PNG files embedded in browser extensions, hiding JavaScript code.
Delayed activation: Malware would only start after 48 hours (or even 5 days in later versions), evading detection.
Functionality included: HTTP header tampering, click fraud, affiliate hijacking, user tracking, programmatic CAPTCHA solving, and drive-by script injection.
Attack Lifecycle:
1. Loader is hidden in PNG
2. Extracted on install
3. Sits dormant
4. Eventually contacts C2 for secondary malware

Notable Quotes & Moments

Steve (on stealth techniques):
"The malware delays execution by 48 hours or more and only initiates C2 communication under specific conditions…" [142:19]
LayerX finding:
Some extensions persisted on web stores for five years, eluding detection entirely. [143:42]
Leo (on what attracts victims):
"'They're not gonna say something you don’t want. They're going to say something you want.' ...They've figured out what people will download for free." [154:13]

Memorable Moments & Banter

The "DVD Rewinder" Picture of the Week [14:00 – 17:54]:
Good-humored walk down memory lane as Steve and Leo marvel at a spoof DVD rewinder—"Never pay another DVD rewind fee again!"
Generational Tech Gaps: "There's an entire group of our audience that have no idea what we're talking about... They've never been to a video store!" [17:04]
AI’s Changing World: Steve muses: "Imagine kids now growing up never being in a world that never had AI that you could talk to and would answer." [17:31]

Key Timestamps

[18:08] – RAM Crisis Impacting Firewalls
[23:26] – Anthropic & Python Security
[29:35] – FTC clamps down on GM selling driver data
[48:45] – DHS Anchor Council replaces CPAC
[59:19] – Germany’s national hacking law update
[68:03] – GrubHub breach & Shiny Hunters extortion
[79:06] – Let’s Encrypt launches 6-day certs
[86:55] – Iran moves to permanent Internet cutoff
[93:10] – SpinRite SSD before/after
[104:02] – MongoDB & cloud exposure feedback
[104:47] – Listener’s real-life hack via ScreenConnect
[120:34] – Claude code/AI coding feedback
[140:10] – GhostPoster browser malware campaign returns

Summary/Takeaways

Be wary of any browser extension not from a reputable, established vendor—malicious add-ons are increasingly sophisticated and fly under the radar for years.
RAM price inflation is hitting everywhere, from laptops to high-end firewalls. Plan ahead if you need RAM-centric gear.
Support the open source tools and infrastructure your business depends on—your security relies on it.
Privacy watchdogs are finally cracking down on hidden consumer data sales, but user vigilance remains essential.
Enterprise and industrial security now means information sharing—if legal protections are in place.
Major legislative changes in both the US and abroad threaten to expand government surveillance—encryption remains vital.
AI coding is already revolutionizing software development; get involved early, but be aware of the wild-west atmosphere and best practices.
The cat-and-mouse game between defenders and attackers continues: the GhostPoster campaign proves attackers will adapt, persist—and exploit new vectors for years, undetected.

Final Word (Steve):
"We must always remember that we can never know what we don’t know. There's no point in getting overly worked up over things we cannot control... Just be skeptical—don't install extensions just because you can." [157:18]

Security Now Episode 1061: "More GhostPosting – RAM Crisis Hits Firewalls"

Date: January 21, 2026
Hosts: Steve Gibson & Leo Laporte

Episode Overview

Key Discussion Points & Insights

1. RAM Price Surge and Its Effects (18:08)

The Context

Steve kicks off with a warning for enterprises: RAM shortages and price hikes aren’t just a PC-user pain—they're coming for network firewalls and high-end enterprise gear too.
Recent research suggests that leading firewall vendors (Fortinet, Palo Alto, Check Point) will be hit particularly hard.

Highlights

Quote (Steve):
"DRAM prices have been up between 60% and 70% since last year and are expected to grow another 50% in the first quarter of the year alone." [20:25]
AI datacenter demand is gobbling up supply, pushing consumer and security product manufacturers to the back of the line.
"If you know you're going to buy high-end, RAM-intensive network security equipment soon, order now—prices are only going higher," Steve advises. [21:55]

Personal Note

Steve is glad he preemptively bought new servers and RAM for GRC: "Last summer RAM was still amazingly inexpensive. Not so any longer." [22:56]

2. Anthropic's Investment in Python Security (23:26)

Anthropic donates $1.5 million to the Python Software Foundation, earmarked for security upgrades.
Funds will boost proactive, AI-driven scanning of packages on PyPi to thwart supply chain attacks.
Quote (Steve):
"Planned projects include creating new tools for automated proactive review of all packages uploaded to PyPi... deploying AI to examine all newly submitted Python package code." [27:50]
Leo and Steve agree: More organizations making money off open source should fund these projects too.

3. FTC vs. General Motors: Selling Drivers’ Data (29:35)

The FTC orders GM/OnStar to stop selling precise user location and driving data without clear consent. GM also must allow consumers to access and delete their data.
Quote (Steve):
"I would argue strongly that it is not possible to actually consent to something that's never explicitly described and explained, and which probably appears in a purchase agreement’s legalese fine print." [31:45]
Leo: "A lot of insurance companies offer you a reduced rate if you agree to be tracked. I think that's okay." [40:56]
Steve recalls coining “spyware” and how little truly has changed—companies still profit from secret customer tracking.

4. DHS Anchor Council: Government-Industry Cyber Information Sharing (48:45)

New DHS body, ANCHOR (Alliance of National Councils for Homeland Operational Resilience), seeks to replace the disbanded CPAC council for critical infrastructure protection.
Primary sticking point: Does ANCHOR maintain the strong liability shields that made CPAC a success?
Quote (Steve):
"If a fear of the consequences of divulging serious incidents and problems keeps industries silent, which CPAC didn’t... then that would not be good for ANCHOR." [58:52]

5. German Intelligence Law Expansion (59:19)

Steve details pending German legislation greatly expanding surveillance and offensive hacking powers for the BND (German NSA).
New capabilities would include full interception and 6-month storage of all Internet communications, “federal Trojan” malware use, and hacking non-cooperative US tech firms.
Quote (Steve):
"The BND will also be allowed to enter apartments and deploy their Federal Trojan on a target's device. What could possibly go wrong?" [63:01]
Hosts reflect on encryption’s role as the last line of defense—"The math is your friend." [63:42]

6. Ongoing ShinyHunters Attacks: GrubHub Next in Line (68:03)

GrubHub confirms a hack and apparent extortion by the ShinyHunters group, likely leveraging prior Salesforce and Zendesk breaches.
Steve notes the persistent danger of credential theft chains: "The attacks that keep on giving." [70:42]

7. Let’s Encrypt: 6-Day and IP Address Certificates (79:06)

Let’s Encrypt now offers extremely short-lived (6 day) and IP address-based TLS certificates.
Steve explains why: more frequent renewals reduce risk from key exposure but questions the real-world necessity.
Quote (Steve):
"It's the being forced to use shorter life certificates—whether for the web or for code signing—that feels so wrong and regressive to me. I don't need a nanny. Few of us do." [81:54]

8. Iran: Plans for Permanent Internet Disconnection (86:55)

Iran appears to be moving toward a long-term or permanent Internet blackout, gathering up satellite dishes and working to block Starlink.
Steve is skeptical this can work long-term, especially given the nation's youthful population.

9. Listener Feedback and Pro Tips

a. SpinRite SSD Recovery Graphs (93:10)

User Don from South Africa shows before-and-after SSD benchmark charts, demonstrating SpinRite’s ability to restore SSD performance.

b. Roku Advertising ID Secret Menus (96:53)

Secret code to access your Roku’s advertising ID—a practical help for leveraging California privacy laws.

c. MongoDB Exposures in the Cloud (104:02)

Listener Michael ponders if public cloud defaults (auto-public IPs) are to blame for widespread MongoDB leaks.
Steve: "Devices absolutely have to be secure out of the box, and you have to take serious, deliberate action to damage their security." [103:20]

d. Real-World Hack: ScreenConnect Remote Access (104:47)

Listener Bob details a real cyber-attack in which ScreenConnect was used to steal funds while he was away. Steve underscores the importance of biometric authentication for critical transactions.

e. Claude Code and AI Vibe Coding in Practice (120:34)

Listener Rob shares his experience using Claude for rapid software development—even as a non-coder—thanks to AI. Leo offers best-practice tips, noting how AI coding is already transformative.
Quote (Leo):
"This reminds me of first discovering the Internet. It's amazing." [126:02]

Main Segment: The Return (and Scope) of GhostPosting Browser Malware (140:10)

What Is Ghost Posting?

GhostPoster: Malware campaign using PNG icon steganography to sneak JavaScript payloads past browser extension reviews.
Initial Discovery: Koi Security found 17 malicious Firefox add-ons, up to 50,000 users infected.
New Research (LayerX): Attackers also targeted Edge and Chrome, expanding the campaign to over 840,000 installations since 2020!

Tactics & Evolution

Obfuscated PNG files embedded in browser extensions, hiding JavaScript code.
Delayed activation: Malware would only start after 48 hours (or even 5 days in later versions), evading detection.
Functionality included: HTTP header tampering, click fraud, affiliate hijacking, user tracking, programmatic CAPTCHA solving, and drive-by script injection.
Attack Lifecycle:
1. Loader is hidden in PNG
2. Extracted on install
3. Sits dormant
4. Eventually contacts C2 for secondary malware

Notable Quotes & Moments

Steve (on stealth techniques):
"The malware delays execution by 48 hours or more and only initiates C2 communication under specific conditions…" [142:19]
LayerX finding:
Some extensions persisted on web stores for five years, eluding detection entirely. [143:42]
Leo (on what attracts victims):
"'They're not gonna say something you don’t want. They're going to say something you want.' ...They've figured out what people will download for free." [154:13]

Memorable Moments & Banter

The "DVD Rewinder" Picture of the Week [14:00 – 17:54]:
Good-humored walk down memory lane as Steve and Leo marvel at a spoof DVD rewinder—"Never pay another DVD rewind fee again!"
Generational Tech Gaps: "There's an entire group of our audience that have no idea what we're talking about... They've never been to a video store!" [17:04]
AI’s Changing World: Steve muses: "Imagine kids now growing up never being in a world that never had AI that you could talk to and would answer." [17:31]

Key Timestamps

[18:08] – RAM Crisis Impacting Firewalls
[23:26] – Anthropic & Python Security
[29:35] – FTC clamps down on GM selling driver data
[48:45] – DHS Anchor Council replaces CPAC
[59:19] – Germany’s national hacking law update
[68:03] – GrubHub breach & Shiny Hunters extortion
[79:06] – Let’s Encrypt launches 6-day certs
[86:55] – Iran moves to permanent Internet cutoff
[93:10] – SpinRite SSD before/after
[104:02] – MongoDB & cloud exposure feedback
[104:47] – Listener’s real-life hack via ScreenConnect
[120:34] – Claude code/AI coding feedback
[140:10] – GhostPoster browser malware campaign returns

Summary/Takeaways

Be wary of any browser extension not from a reputable, established vendor—malicious add-ons are increasingly sophisticated and fly under the radar for years.
RAM price inflation is hitting everywhere, from laptops to high-end firewalls. Plan ahead if you need RAM-centric gear.
Support the open source tools and infrastructure your business depends on—your security relies on it.
Privacy watchdogs are finally cracking down on hidden consumer data sales, but user vigilance remains essential.
Enterprise and industrial security now means information sharing—if legal protections are in place.
Major legislative changes in both the US and abroad threaten to expand government surveillance—encryption remains vital.
AI coding is already revolutionizing software development; get involved early, but be aware of the wild-west atmosphere and best practices.
The cat-and-mouse game between defenders and attackers continues: the GhostPoster campaign proves attackers will adapt, persist—and exploit new vectors for years, undetected.

SN 1061: More GhostPosting - RAM Crisis Hits Firewalls

Powered by Wave AI

Summary

Security Now Episode 1061: "More GhostPosting – RAM Crisis Hits Firewalls"

Episode Overview

Key Discussion Points & Insights

1. RAM Price Surge and Its Effects (18:08)

The Context

Highlights

Personal Note

2. Anthropic's Investment in Python Security (23:26)

3. FTC vs. General Motors: Selling Drivers’ Data (29:35)

4. DHS Anchor Council: Government-Industry Cyber Information Sharing (48:45)

5. German Intelligence Law Expansion (59:19)

6. Ongoing ShinyHunters Attacks: GrubHub Next in Line (68:03)

7. Let’s Encrypt: 6-Day and IP Address Certificates (79:06)

8. Iran: Plans for Permanent Internet Disconnection (86:55)

9. Listener Feedback and Pro Tips

a. SpinRite SSD Recovery Graphs (93:10)

b. Roku Advertising ID Secret Menus (96:53)

c. MongoDB Exposures in the Cloud (104:02)

d. Real-World Hack: ScreenConnect Remote Access (104:47)

e. Claude Code and AI Vibe Coding in Practice (120:34)

Main Segment: The Return (and Scope) of GhostPosting Browser Malware (140:10)

What Is Ghost Posting?

Tactics & Evolution

Notable Quotes & Moments

Most Popular Malicious Extensions Identified:

Steve’s Warning:

Memorable Moments & Banter

Key Timestamps

Summary/Takeaways

Summary

Security Now Episode 1061: "More GhostPosting – RAM Crisis Hits Firewalls"

Episode Overview

Key Discussion Points & Insights

1. RAM Price Surge and Its Effects (18:08)

The Context

Highlights

Personal Note

2. Anthropic's Investment in Python Security (23:26)

3. FTC vs. General Motors: Selling Drivers’ Data (29:35)

4. DHS Anchor Council: Government-Industry Cyber Information Sharing (48:45)

5. German Intelligence Law Expansion (59:19)

6. Ongoing ShinyHunters Attacks: GrubHub Next in Line (68:03)

7. Let’s Encrypt: 6-Day and IP Address Certificates (79:06)

8. Iran: Plans for Permanent Internet Disconnection (86:55)

9. Listener Feedback and Pro Tips

a. SpinRite SSD Recovery Graphs (93:10)

b. Roku Advertising ID Secret Menus (96:53)

c. MongoDB Exposures in the Cloud (104:02)

d. Real-World Hack: ScreenConnect Remote Access (104:47)

e. Claude Code and AI Vibe Coding in Practice (120:34)

Main Segment: The Return (and Scope) of GhostPosting Browser Malware (140:10)

What Is Ghost Posting?

Tactics & Evolution

Notable Quotes & Moments

Most Popular Malicious Extensions Identified:

Steve’s Warning:

Memorable Moments & Banter

Key Timestamps

Summary/Takeaways