A sophisticated iPhone exploit kit known as DarkSword has surfaced on GitHub, handing powerful surveillance tools to anyone with an internet connection. Security teams warn that the leaked code allows attackers to compromise hundreds of millions of devices running older operating systems with minimal effort.

Matthias Frielingsdorf of iVerify confirmed the tools are dangerously accessible. The leaked files consist of simple HTML and JavaScript, meaning bad actors can host them on a server within hours. "The exploits will work out of the box," Frielingsdorf stated, noting that no specialized iOS knowledge is required. Google's security researchers back this assessment.

The stakes are high. Approximately one-quarter of active Apple devices still run iOS 18 or earlier. With 2.5 billion devices in circulation, this leaves hundreds of millions vulnerable to data theft. The code comments reveal the malware exfiltrates contacts, messages, call logs, and Wi-Fi passwords via HTTP to remote servers. One sample even referenced uploading data to a Ukrainian apparel site, hinting at previous state-sponsored usage against Ukrainian targets.

Apple responded by issuing an emergency update on March 11 for legacy devices unable to support iOS 26. A company spokesperson emphasized that updating software remains the most effective defense, adding that Lockdown Mode also blocks these specific vectors.

This incident follows the recent discovery of Coruna, another advanced toolkit linked to defense contractor L3Harris. For engineering teams, the DarkSword leak underscores the volatility of relying on unpatched systems. As code spreads across public repositories, the window to secure endpoints shrinks rapidly. Updating isn't just hygiene; it's a necessity when weaponized scripts become public domain.

Source: TechCrunch