Security Now drops episode 1076
- TWiT and GRC released Security Now episode 1076 on April 28, with Steve Gibson and Leo Laporte centering the show on newly uncovered fast16 sabotage malware. - The episode’s headline claim is that fast16 dates to 2005 and silently tampered with high-precision calculations, predating Stuxnet by about five years. - TWiT also posted an AI-generated transcript, undercutting claims that listeners only had video for the episode. (twit.tv)
Security Now episode 1076 landed on April 28 with Steve Gibson and Leo Laporte leading on “fast16.sys,” a newly surfaced sabotage malware case. (twit.tv) TWiT’s episode page bills the story as “Unmasking the NSA’s Most Diabolical Digital Sabotage” and says the malware quietly corrupted scientific research in hostile states. (twit.tv) GRC’s official show notes list the same headline topic and date the release to April 28, 2026, under the title “FAST16.SYS.” The notes also show the rest of the rundown: a Bitwarden command-line interface supply-chain attack, router failures in Iran, Meta’s internal AI logging, and GRC’s DNS Benchmark Release 5. (grc.com) The technical idea is simple: sabotage malware does not need to blow up a machine if it can quietly poison the numbers the machine produces. SentinelOne said fast16 patched high-precision calculation software in memory so results looked normal while being subtly wrong. (sentinelone.com) SentinelOne said the framework’s core components date to 2005, which would place it roughly five years before Stuxnet became public in 2010. Dark Reading said that timeline “rewrites” the accepted history of cyber sabotage by moving a purpose-built digital weapon earlier than many researchers assumed. (sentinelone.com) (darkreading.com) The show is not limited to a YouTube video with no text backup. TWiT published an AI-generated transcript on April 28 with time codes and a disclaimer that it may not be word-for-word. (twit.tv) That transcript shows Gibson framing fast16 as evidence that highly sophisticated cyber sabotage existed in the Windows 2000 and Windows XP era. It also shows him saying Bitwarden end users were not impacted by the command-line interface package compromise discussed earlier in the episode. (twit.tv) GRC’s notes identify the affected Bitwarden package as `@bitwarden/cli@2026.4.0` and say the malicious code was available on npm between 5:57 p.m. and 7:30 p.m. Eastern on April 22. The notes say the code stole developer and cloud secrets and could abuse GitHub tokens to inject malicious workflows into repositories. (grc.com) The episode matters less as a weekly podcast drop than as a digest of two live security themes: supply-chain compromises hitting developer tools now, and fresh research revisiting older state-linked malware to explain how cyber sabotage evolved. (grc.com) (sentinelone.com) For listeners, the practical update is straightforward: episode 1076 is out, the transcript is already posted, and the centerpiece is fast16’s 2005-era attack on high-precision software. (twit.tv 1) (twit.tv 2)
