New Episode of Security Now: Security Now 1056

In this episode of Security Now, Steve Gibson and Leo Laporte discuss a variety of topics related to cybersecurity, computer vulnerabilities, and current technological issues. Here is a detailed summary of the key points discussed.

The episode begins with a discussion on major security issues, including vulnerabilities in the American power grid exploited by China for cyber "war games." Steve Gibson highlights that Chinese researchers have published over 2700 articles on vulnerabilities in the American power grid since 2010, with 225 specifically focused on potential attacks. These revelations show China's long-term strategy to infiltrate and potentially disable critical U.S. infrastructure. Equipment such as inverters and energy storage systems manufactured in China are particularly concerning, as they can be used to introduce vulnerabilities into power grids.

Another major topic is Home Depot's reluctance to fix a critical security flaw. A security researcher discovered a private access token accidentally published on GitHub by a Home Depot employee, exposing hundreds of internal source code repositories. Despite the researcher's repeated attempts to alert Home Depot, the company ignored the notifications for several weeks before finally addressing the issue after an intervention by TechCrunch. This situation highlights the risks associated with corporate negligence in computer security and the importance of vigilance among security researchers.

Steve and Leo also discuss the impacts of artificial intelligence (AI) on software development, particularly in the context of GNOME extensions. A GNOME extension manager expressed frustration with the increasing use of AI to generate code, which often results in poor coding practices and useless code. For example, AI generates superfluous "try-catch" blocks and unnecessary type checks, bloating the code and complicating reviews. This phenomenon shows that current AI does not truly understand the code it produces, merely replicating patterns without grasping their meaning. This poses a risk to the quality of open-source software, as poor code can spread and become the norm if developers do not correct it.

Another important point is the increase in attacks on open-source software repositories. In 2025, attacks on repositories like NPM (for JavaScript) increased by nearly 87% compared to 2024. Attackers use various methods, such as injecting malicious dependencies, code obfuscation, and typosquatting (creating packages with names similar to popular packages to deceive developers). These attacks aim to introduce malware, cryptocurrency miners, and backdoors into end-users' systems. This trend underscores the importance of vigilance when using third-party libraries and the need to carefully verify project dependencies.

The episode also addresses the critical "React-to-Shell" vulnerability in React servers, which allows remote code execution (RCE) without authentication. This flaw has been exploited by several cybercriminal groups, including actors linked to China, to deploy malware such as tunnelers, downloaders, and backdoors. Google reported that this vulnerability has been widely exploited, endangering many organizations. This situation demonstrates how vulnerabilities in widely used components can have devastating consequences.

Steve and Leo also discuss Apple's security updates, including iOS 26.2, which fixes two actively exploited zero-day vulnerabilities. Apple described these attacks as "extremely sophisticated," emphasizing the need for users to keep their devices up-to-date to protect against advanced threats.

Another crucial topic is the future of Let's Encrypt, the certificate authority that provides free SSL/TLS certificates. Let's Encrypt is on track to become the world's largest certificate authority, with nearly 10 million certificates issued daily and a trajectory to reach one billion active sites by 2026. However, this massive dependence on a single authority poses significant risks. If Let's Encrypt were to encounter problems, millions of sites could become inaccessible quickly. Steve expresses concerns about this centralization, which goes against the principles of decentralization and resilience of the Internet.

Finally, the episode concludes with an in-depth discussion on the recent ban on social media for under-16s in Australia. This measure, implemented the previous week, has received mixed reactions. Some teenagers have managed to bypass age verification checks using techniques like makeup or enlisting adults to pass controls. Others, however, have expressed relief at no longer being subjected to the pressure of social media. Steve and Leo analyze the implications of this ban, particularly in terms of privacy and the accuracy of age verification methods. They highlight that current solutions, such as facial detection, are far from perfect and can be easily fooled. They also discuss more robust technological alternatives, such as using trusted proxies to verify age without compromising privacy.

In summary, this episode of Security Now offers an in-depth analysis of current cybersecurity challenges, from critical vulnerabilities to privacy and regulatory issues. The discussions highlight the importance of vigilance, technological innovation, and collaboration between researchers, companies, and governments to protect infrastructure and users against growing threats.