Dangerous iPhone Exploit Leaks onto GitHub, Putting Millions of Older Apple Devices at Risk

Guest Editorial by Stefanie Schappert, Senior Journalist, Cybernews

A powerful iPhone hacking tool once used in targeted surveillance operations is now circulating in the public sphere on GitHub, marking a turning point in the growing risk to everyday smartphone users.

The exploit, known as DarkSword, was identified by Google’s Threat Intelligence Group (GTIG) on March 19th as a full-chain iOS attack capable of fully compromising Apple devices by chaining together multiple vulnerabilities.

What’s more, DarkSword was found capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones – and was planted on dozens of websites in Ukraine since late February.

Google said the tool has been used by multiple threat actors since at least November 2025. And besides deploying malware that steals data, DarkSword can record your device activity and maintain persistent access once the iPhone is infected.

Public GitHub Leak Raises the Stakes

If that’s not bad enough, threat actors have escalated the situation by publicly posting the DarkSword exploit code on GitHub – raising concerns that a tool once limited to advanced operators can now be accessed by an even larger pool of attackers.

This shift – when sophisticated cyber weapons leak into public circulation – is a familiar and dangerous pattern in cybersecurity.

Tools originally developed for intelligence or government use have historically leaked or been resold, eventually showing up in financially motivated cybercrime. Researchers warn that the same pattern is now unfolding in the mobile world.

It's important for Apple users to be aware that the risks are primarily to older iPhones that have not been updated.

DarkSword specifically targeted iPhones and iPads running certain older versions of iOS, and hundreds of millions of devices may still fall into that category globally.

Apple introduced its revamped operating system, iOS 26, last September. However, many users, unhappy with the changes, refused to update their smartphones and kept their devices running iOS 18 – making them prime targets for threat actors leveraging the malicious toolkit.

An estimated 220 million to 270 million iPhones were still running exposed iOS versions in March, according to iVerify and Lookout.

DarkSword targets Apple devices running iOS 18.4 through 18.7, while older devices running on iOS 13.0 through iOS 17.2.1. are at risk of the Coruna exploit.

A Hacked iPhone Can Become a Much Bigger Problem

It's also important for users to understand that DarkSword differs from traditional malware in how devices become infected.

In some cases, users do not need to download anything or click a suspicious attachment to trigger the exploit and take control of the device – instead, devices can be infected just by visiting an already compromised website.

That has major implications not just for individuals, but for businesses and government agencies as well.

Smartphones now store email access, authentication tokens, cloud data, messaging history, and corporate credentials.

Once a device is compromised, attackers may be able to move beyond the phone and into broader accounts and systems, security experts have said.

The DarkSword case also follows another recently discovered iPhone exploit kit known as Coruna, which researchers say demonstrates how advanced exploit frameworks can spread among different threat actors and eventually reach criminal groups.

The most important step users can take right now is simple: update their devices. Apple has released security patches designed to block DarkSword attacks, and updated devices are not considered vulnerable to the known exploit chain.

But the broader lesson goes beyond a single patch cycle. The leak of DarkSword shows how quickly high-end cyber capabilities can spread once they escape controlled environments.

And in today’s world, the device most likely to be targeted is the one in your pocket.

Stefanie Schappert, a senior journalist at Cybernews, is an accomplished writer with an M.S. in cybersecurity, immersed in the security world since 2019. She has a decade-plus experience in America’s #1 news market working for Fox News, Gannett, Blaze Media, Verizon Fios1, and NY1 News. With a strong focus on national security, data breaches, trending threats, hacker groups, global issues, and women in tech, she is also a commentator for live panels, podcasts, radio, and TV. Earned the ISC2 Certified in Cybersecurity (CC) certification as part of the initial CC pilot program, participated in numerous Capture-the-Flag (CTF) competitions, and took 3rd place in Temple University's International Social Engineering Pen Testing Competition, sponsored by Google. Member of Women’s Society of Cyberjutsu (WSC), Upsilon Pi Epsilon (UPE) International Honor Society for Computing and Information Disciplines. Recent media: KTLA, KXAN, TechRadar, Corriere Dela Sera, WCLO.