Read more of this story at Slashdot.
Apple rolled out the security patches for dozens of iPhone and iPad models and generations.
The post Apple Patches iOS Flaw Allowing Recovery of Deleted Chats appeared first on SecurityWeek.
Two weeks ago, a suspected North Korean threat actor slipped malicious code into a package within Axios, a widely used JavaScript library. The immediate concern was the blast radius: roughly 100 million weekly downloads spanning enterprises, startups, and government systems. But beyond the sheer scale, the attack’s speed was just as worrisome – a stark reminder of the tempo modern adversaries now operate at.
The Axios compromise was identified within minutes of publication by an Elastic researcher using an AI-powered monitoring tool that analyzed package registry changes in real time. The approach was right: AI classifying code changes at machine speed, at the moment of publication, before the damage compounds. By any standard, it was a fast response. The compromised package was removed in about three hours. But even in those three hours, the widely-used package may have been downloaded over half a million times.
This underscores a new reality. Enterprises and the public sector are being overwhelmed with attacks that are increasing in both speed and complexity, driven in part by AI. Adversaries are probing every link in the supply chain, and they are doing it at a pace that human-speed defenses cannot match.
This project is one example of using AI to tackle a security problem, but it also makes a broader case: AI-powered security can dramatically improve SOC efficiency especially when organizations across the public sector and beyond are drowning in attacks.
Government agencies increasingly rely on the same open-source JavaScript frameworks as the private sector, so a poisoned package can give an adversary access to sensitive systems before anyone realizes the supply chain has been poisoned. This is a direct threat to national security and critical infrastructure, especially when the payloads are cross-platform, affecting macOS, Windows, and Linux.
What is most critical now is understanding and correctly preparing for the frequency and speed at which these attacks occur.
AI has fundamentally lowered the barrier to sophisticated cyber operations, granting relatively unsophisticated bad actors and small nation-states capabilities once reserved for elite criminal groups and countries. Adversaries now leverage AI to automate reconnaissance, craft convincing social engineering, and develop evasive malware. With a new vulnerability discovered every few minutes, the pace is accelerating.
For the public sector, the threat model has expanded. Defending against known nation-state playbooks is no longer sufficient—that’s just the baseline. Groups that couldn’t execute at nation-state levels five years ago now operate with comparable sophistication, while state-sponsored actors operate with unprecedented speed and automation. Staying ahead means moving beyond traditional defense to meet a threat landscape that is increasingly automated and ubiquitous.
Adversarial AI is the defining threat of the current operating environment. Automated reconnaissance. AI-generated obfuscation. Machine-speed deployment across multiple vectors simultaneously. The adversary has implemented AI faster and more aggressively than most defensive teams.
It is rapidly becoming unquestionable in security: if you are not using AI to battle AI, you will lose.
That does not mean buying into the autonomous SOC fantasy. That approach treats AI in isolation, as if defenders are the only ones with access to the technology. Defensive AI is not a win button, but the minimum entry fee to stay level with the attacker. You still need business context, mission knowledge, and human judgment.
The Axios compromise should serve as a clear signal. Nation-state actors are targeting the software supply chain with increasing frequency and sophistication. The government agencies and organizations that will defend successfully against these threats are the ones building security operations that can move just as fast as the threat actors they face.
AI-driven security operations that can match the speed of modern threats, like agentic workflows that automatically triage, investigate, and contain suspicious activity are operationally necessary. Having an agentic SOC mindset and approach to how these centers work will empower analysts’ activity. Agents will operate on behalf of the analyst automatically and transparently.
The traditional SOC pyramid puts humans at the bottom doing the highest-volume work. A wide analyst tier triaging alerts, feeding a narrower senior tier handling investigations. Adversarial AI has made that base layer untenable. The volume is too high, the speed too fast, the surface area too broad. The pyramid inverts into a diamond – AI takes the base while analysts rise to become threat engineers: managing, validating, and improving the agents working on their behalf.
AI agents handle the high-volume work of alert correlation, investigation enrichment, and initial containment while human analysts focus on strategic decisions and mission context. These agents amplify the expertise that government security professionals bring, delivering pre-investigated, correlated findings rather than a flood of disconnected alerts.
The rapid acceleration of sophisticated attacks calls for this essential change across the SOC. The public sector and industry are undergoing a significant transformation, shifting away from eyes-on-glass alert triage toward a high-impact era of threat engineering. In doing so, public sector teams will have the ability to greatly reduce mean time to detect/respond, in turn reducing SOC analyst fatigue and compressing investigation timelines.
Mike Nichols is the GM of Security at Elastic.
The post Why the Axios attack proves AI is mandatory for supply chain security appeared first on CyberScoop.
The AI giant is taking action after determining that a macOS code signing certificate may have been compromised.
The post OpenAI Impacted by North Korea-Linked Axios Supply Chain Hack appeared first on SecurityWeek.
The DarkSword exploit kit has been used by both state-sponsored hackers and commercial spyware vendors.
The post Apple Rolls Out DarkSword Exploit Protection to More Devices appeared first on SecurityWeek.
A long-lived NPM access token was used to bypass the GitHub Actions OIDC-based CI/CD publishing workflow and push backdoored package versions.
The post Axios NPM Package Breached in North Korean Supply Chain Attack appeared first on SecurityWeek.
The state-sponsored group’s campaign has targeted government, higher education, financial, and legal entities, as well as think tanks.
The post Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit appeared first on SecurityWeek.
Coruna contains the updated version of a kernel exploit used in Operation Triangulation three years ago.
The post Coruna iOS Exploit Kit Likely an Update to Operation Triangulation appeared first on SecurityWeek.
The computer giants have announced new security capabilities for PCs and printers.
The post Dell and HP Roll Out Quantum-Resistant Device Security appeared first on SecurityWeek.
Apple released security fixes for older devices as well, in iOS 18.7.7, iPadOS 18.7.7, macOS Sequoia 15.7.5, and macOS Sonoma 14.8.5.
The post iOS, macOS 26.4 Roll Out With Fresh Security Patches appeared first on SecurityWeek.
Leaked iOS spyware has some cybersecurity professionals raising urgent alarms about potential mass iPhone compromises, a development that pairs ominously with the recent discovery of two sophisticated iOS exploit kits.
At the same time, some other experts say Apple’s defensive features for iPhones remain elite. But several factors have created unprecedented circumstances: the public accessibility of a version of DarkSword, shortly after the discovery of the original version of DarkSword and the earlier discovery of a similar kit known as Coruna, and a growing market for iPhone exploits driven by their high value as targets.
Allan Liska, field chief information security officer at Recorded Future, said he was worried about what the leaked DarkSword version could do to “democratize” iPhone exploits.
“Right now, iPhone exploitations are among the most expensive to research/implement so they have been, largely, the realm of nation-states,” he said. “If anyone can exploit an iPhone, suddenly something that has managed to be relatively secure now is a much bigger attack surface.”
Google, iVerify and Lookout released research last week on DarkSword’s discovery, centered on Ukraine. Google also said it saw targeting in Saudi Arabia, Turkey and Malaysia. And that was before a version turned up on GitHub, a development TechCrunch first reported and Google and iVerify have analyzed. (The week before, iVerify and Google uncovered Coruna. Google declined to comment further for this story.)
“It’s extremely alarming that this leaked out on GitHub,” said Rocky Cole, co-founder of iVerify. “I would assume that it’s being used all around the world, and including here in the United States.”
Hundreds of millions of iPhones running iOS 18 could be vulnerable to DarkSword.
“I think that the top line issues here are pretty clear: people who have devices that are vulnerable should upgrade ASAP,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation. “It is very likely that these vulnerabilities are being used right now to exploit vulnerable devices at scale, which is unusual for Apple products.”
Coruna was concerning enough for Apple that it took the rare step of backporting security updates to still older versions of iOS, Cole said. The fear, he said, was that it might be wormable — capable of spreading from one device via text message to everyone in a phone’s contact list.
But Cole said Apple hasn’t released similar security-focused updates to iOS 18, for reasons he doesn’t know.
Apple has emphasized the patches it has issued, urged users to update their phones and touted Lockdown Mode as a defense against spyware.
“Apple devices are designed with multiple layers of security in order to protect against a wide range of potential threats, and every day Apple’s security teams around the world work tirelessly to protect users’ devices and data,” said Apple spokesperson Sarah O’Rourke. “Keeping your software up to date is the single most important thing you can do to maintain the security of your Apple products, and devices with updated software were not at risk from these reported attacks.”
IPhones’ widespread use makes them high-value targets, fueling a thriving market for exploits. Coruna and DarkSword are indicators of this growing demand.
“It’s time for organizations to start thinking of mobile security the way they think about desktop security, which is to say everyone knows how to secure their laptop,” Cole said. And for iPhone exploit hunting in particular, “you’re starting to see people do it at a mass level.” Furthermore, the resale market is such that exploits that once were exclusive are no longer, and AI makes it even easier to customize them in the code, he said.
DarkSword has drawn federal attention: The Cybersecurity and Infrastructure Security Agency this week added vulnerabilities that DarkSword exploits to the list that federal agencies must patch.
The number of people still using iOS 18 is large, up to 25% of all iPhones. Cole said several factors are contributing to that, such as users being leery of iOS 26’s onboard artificial intelligence or the Liquid Glass interface.
Said Galperin: “There are many reasons why people do not keep their devices up to date, so when I tell people ‘just patch your stuff’ I think it is important to realize that there are circumstances under which this is easier said than done.”
Despite the concerns, Cole credited iPhone for its high security standards, in particular for its app store.
For Natalia Krapiva, senior tech-legal counsel at Access Now, a key takeaway is the worrisome proliferation of commercial spyware and cyber intrusion capabilities.
“This is exactly what human rights activists and digital security researchers have been warning governments and companies about: In the absence of effective regulation for the industry, these exploits will get out and end up in the hands of adversaries like Russia, China, Iran, or, as in the case of DarkSword, leaked online for any criminal to use,” she said.
On the other hand, Apple’s Lockdown Mode and Memory Integrity Enforcement are top-notch defensive measures, Krapiva said. We’ve yet to see a Lockdown Mode-enabled iPhone being infected with spyware, she said.
“I think we’ll keep seeing more attempts to exploit both Apple and Android devices as they improve their software and hardware security,” she said. “It’s the old cat-and-mouse game.”
Adam Boynton, senior enterprise strategy manager at Jamf, said what’s happened with Coruna and DarkSword is evidence of Apple’s success.
“What’s encouraging here is that Apple’s security model works,” he said. “Coruna skips devices running the latest iOS versions and avoids those with Lockdown Mode enabled entirely. That’s a strong validation of the defences Apple has built.
“DarkSword reinforces the same principle,” he continued. “Where Coruna targeted older iOS versions, DarkSword demonstrates that even relatively current releases can be targeted by determined actors. Apple moved quickly to patch the vulnerabilities involved, and devices running the latest iOS are protected.”
The post DarkSword’s GitHub leak threatens to turn elite iPhone hacking into a tool for the masses appeared first on CyberScoop.
Read more of this story at Slashdot.
Researchers have discovered a second instance of suspected Russian hackers using iOS exploits, pointing to what they say are several foreboding trends.
iVerify, Lookout and Google collaborated on the research published Wednesday, a follow-up to earlier revelations about a similar exploit kit, Coruna. While the second kit — dubbed DarkSword — also targeted users in Ukraine, the scale is significant: iVerify estimated up to 270 million iPhone users could be susceptible, while Lookout told CyberScoop roughly 15% of all iOS devices currently in use are running iOS 18 or earlier versions and could be vulnerable to the exploit kit.
The research reveals a range of new details, as well as interesting patterns:
DarkSword can exfiltrate saved passwords, crypto wallets, text messages and more, researchers found. Attackers are leveraging the exploit kit by first compromising Apple’s WebKit and then using WebGPU as a pivot point for sandbox escapes, according to Justin Albrecht, Lookout’s global director for mobile threat intelligence.
What’s less clear is who, exactly, is behind the exploit kit, other than the links to Russia. Cole said DarkSword is hosted on the same command and control infrastructure as Coruna, but is an entirely separate kit made by entirely separate people. Google has attributed the campaigns to a group it tracks as UNC6353, which it describes as a Russian-backed espionage group, as well as UNC6748 and Turkish commercial surveillance vendor PARS Defense.
The attackers’ motives are also a bit opaque, mixing what appears to be both espionage and financial objectives. Albrecht noted there is precedent for this: Russian threat groups have targeted cryptocurrency in Ukraine before, notably with Infamous Chisel, an Android exploit kit deployed by Sandworm.
“They’re probably well-funded, probably well-connected, but it’s confirmed that they’re stealing crypto. There is definitely a financial motivation,” Albrecht told CyberScoop. “Now, I think the big question is, depending on who the group is, is the financial motivation in this just to do damage to Ukrainians, or is it to steal crypto?”
Russia has been under heavy sanctions for a long time and is starting to have budget problems due to the ongoing war in Ukraine, he noted. “Why not start to fund their operations with stolen funds? It wouldn’t be outside the norm, although it would be a potential shift in their TTPs for Russian APTs in general,” Albrecht said.
The kit could be handy for someone trying to do a “pattern of life” analysis, Cole said, and thus useful for surveillance and intelligence purposes.
He said a commercial spyware vendor might have made the kit with no target audience in mind, thus the “Swiss Army knife”-like quality of it. The major concern for Cole is that there’s apparently a growing market for these kinds of tools, and people may be lulled into a false sense of security about iPhones not being vulnerable.
Despite the sophistication of the exploits themselves, the threat actors behind DarkSword may not be particularly experienced, Albrecht said. None of the JavaScript or HTML code was obfuscated in any way, and the server-side component was labeled “Dark sword file receiver” — poor operational security for a seasoned Russian threat actor.
“Your experienced Russian threat actors, your APT29’s of the world, I would expect them to have better OPSEC,” Albrecht said.
One of the more unusual findings in the research is the clear presence of large language model-generated code. The server-side component of DarkSword, for instance, includes telltale signs of AI-generated code, complete with detailed notes and comments characteristic of LLM output. It’s a development that effectively lowers the barrier to entry for deploying advanced mobile exploits, even among state-sponsored actors, Albrecht said.
All three research teams have been in contact with Apple about the findings, according to Albrecht, with Google likely in closest contact since they began investigating the threat in late 2025. In its blog, Google said it reported the vulnerabilities used in DarkSword to Apple in late 2025, and all vulnerabilities were patched with the release of iOS 26.3, although most were patched prior.
CLARIFICATION 3/18/26: Clarified the suspected origins of the DarkSword exploit kit and any links to tools developed for the U.S. government.
The post Second iOS exploit kit now in use by suspected Russian hackers appeared first on CyberScoop.
An exploit kit that may have originated from a leaked U.S. government framework is behind what researchers are calling the first mass-scale attack on iOS, the operating system for Apple’s iPhones.
Traces of the exploits, found in the work of Chinese cybercriminals, also have been spotted in Russian attacks on Ukraine and used by a customer of a spyware vendor.
Those conclusions come from two pieces of research that Google Threat Intelligence Group and iVerify released separately Tuesday. Rocky Cole, co-founder of iVerify, said it represented a potential “EternalBlue moment,” with echoes of that exploit software escaping the National Security Agency to fuel the global WannaCry ransomware and NotPetya attacks in 2017.
Google said that the so-called Coruna exploit kit that’s the subject of Tuesday’s research “provides another example of how sophisticated capabilities proliferate,” as it wrote in a blog post about the zero-day — or previously undisclosed and unpatched — exploits.
“How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits,” Google wrote. “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.”
Said iVerify: “While iVerify has some evidence that this tool is a leaked U.S. government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.”
Just last week, a U.S. court sentenced a former L3 Harris executive to prison for selling zero-day exploits to a Russian broker.
Both Google and iVerify connected the exploit kit to Operation Triangulation, which Russian cybersecurity firm Kaspersky said in 2023 had targeted the company and the Russian government attributed to the U.S. government. The NSA declined to comment on that allegation.
An Apple spokesperson didn’t respond to a request for comment Tuesday afternoon. Apple issued multiple patches in response to Operation Triangulation, and worked with Google on the newest research.
Spencer Parker, chief product officer at iVerify, said the attack affected at least 42,000 devices —a “massive number” for iOS, even if it sounds small to other platforms. That number has the potential to expand as researchers dive further into the technical details, Cole said.
Other signs point to U.S. development of the exploit kit, Cole said.
“The code base for the framework and the exploits was superb,” he said. “It was elegantly written. It’s fluid and holds together very well. There were comments in the code that, as someone who’s been around the U.S. defense industrial base for years, really are reminiscent of the sort of insider jokes and insider remarks that you might see from a U.S. based coder. Certainly they were native English language speakers.”
Google said it tracked the use of the exploit kit over the course of last year in operations from an unnamed customer of a surveillance vendor to attacks on Ukrainian users from a suspected Russian espionage group, before retrieving the complete exploit kit from a financially motivated group operating out of China.
Apple-focused security researcher Patrick Wardle observed on the social media site X about the Coruna research: “Turns out even lowly cybercriminals were (ab)using 0days to hack Apple devices.”
The post Possible U.S.-developed exploits linked to first known ‘mass’ iOS attack appeared first on CyberScoop.
Login