Security Now (Audio)

Security expert Steve Gibson analyzes Anthropic's new Mythos AI model, which demonstrates superhuman capability in discovering software vulnerabilities. While Anthropic claims the model is too dangerous to release publicly, Gibson examines the evidence and concludes this represents a watershed moment for cybersecurity that exposes widespread flaws in existing software.

Steve Gibson analyzes the FCC's ban on all new foreign-made consumer routers, explaining why it's arbitrary and ineffective. The show also covers LinkedIn's 2.7MB JavaScript surveillance code that scans users' computers for over 6,000 browser extensions, and touches on Apple's new age verification requirements in the UK.

Steve Gibson and Leo Laporte discuss the LiteLLM PyPI exploit, a sophisticated supply chain attack that infected the popular AI proxy service with credential-stealing malware. The attack, executed by Team PCP, exploited a compromised security scanner (Trivy) to inject malware that would have affected 3.4 million daily downloads, but was caught due to a coding error that caused systems to crash.

Steve Gibson and guest host Micah Sargent discuss a critical security flaw in H&R Block's tax software that installs an untrustworthy root certificate with accessible private keys. They also cover 'bucket squatting' - a major vulnerability where attackers hijack abandoned Amazon S3 buckets to compromise software supply chains.

Steve Gibson discusses various cybersecurity topics including social media companies backing away from end-to-end encryption, malware disguised as VPN software, and his positive experience with CISA's free internet scanning service. He also addresses questions about AI-generated code and shares insights from security researchers about current threats.