Security Briefing March 30, 2026 · 7 min read

DarkSword iOS Spyware Leaked on GitHub Threatens Millions, VoidStealer Bypasses Chrome Encryption, AI Phishing Via Railway Hits Hundreds

DarkSword iOS exploit kit leaks on GitHub, potentially democratizing nation-state iPhone hacking for the masses. VoidStealer malware pioneers a stealthy debugger-based technique to bypass Chrome's Application-Bound Encryption without admin privileges. An AI-powered phishing campaign abusing Railway's platform compromises hundreds of organizations in weeks. StoatWaffle malware auto-executes on developers through VS Code. Four former NSA directors warn US offensive cyber edge is eroding.


1. DarkSword iOS Exploit Kit Leaked on GitHub — Hundreds of Millions of iPhones at Risk

⚠ CRITICAL — Mass Exploitation Risk

A version of the DarkSword iOS exploit kit has been published on GitHub, potentially putting hundreds of millions of iOS 18 devices at risk of compromise. CISA has added the exploited vulnerabilities to its Known Exploited Vulnerabilities catalog.

Cybersecurity researchers are raising urgent alarms after a version of the DarkSword iOS spyware exploit kit appeared on GitHub — a development first reported by TechCrunch and subsequently analyzed by Google and iVerify. The leak follows the earlier discovery of DarkSword targeting devices in Ukraine, Saudi Arabia, Turkey, and Malaysia, and comes on the heels of the related Coruna iOS exploit kit uncovered weeks prior.

Why This Matters

iPhone exploits have historically been among the most expensive to develop, making them the domain of nation-state actors. Allan Liska, field CISO at Recorded Future, warned the leak could "democratize" iPhone exploitation: "If anyone can exploit an iPhone, suddenly something that has managed to be relatively secure now is a much bigger attack surface."

Rocky Cole, co-founder of iVerify, was blunt: "It's extremely alarming that this leaked out on GitHub. I would assume that it's being used all around the world, including here in the United States."

Scale and Urgency

Defensive Actions


2. VoidStealer Malware Bypasses Chrome's Application-Bound Encryption

🔶 HIGH — Novel Browser Encryption Bypass

A new infostealer called VoidStealer has found a way to bypass Chrome's Application-Bound Encryption (ABE) without admin privileges or code injection, using a stealthy debugger-based technique seen in the wild for the first time.

Chrome's Application-Bound Encryption (ABE), introduced in Chrome 127 in 2024, was designed to lock sensitive data like passwords and cookies behind encryption tied to a privileged system service. Previous bypass techniques all required admin privileges. VoidStealer has changed that equation.

How the Bypass Works

According to Gen researcher Vojtěch Krejsa, VoidStealer takes a "surgical" approach: it attaches as a debugger to the Chrome process and places hardware breakpoints on a precise instruction in Chrome's decryption flow. When Chrome momentarily decrypts the v20_master_key in memory, VoidStealer intercepts it using standard debugging APIs.

Hardware breakpoints operate through CPU registers rather than modifying code, leaving memory untouched. This makes the technique significantly stealthier than injection-based methods.

Rapid Evolution

Detection Guidance


3. AI-Powered Phishing Campaign Via Railway Compromises Hundreds of Organizations

⚠ CRITICAL — Active Mass Compromise

An AI-powered phishing campaign leveraging Railway's Platform-as-a-Service has compromised hundreds of organizations' Microsoft cloud accounts, with attackers exploiting device authentication flows to gain 90-day OAuth token access without passwords or MFA.

Researchers at Huntress have uncovered a phishing campaign tied to Railway's PaaS infrastructure that has given attackers access to the Microsoft cloud accounts of hundreds of businesses in just weeks. The tempo accelerated dramatically starting March 3, with more than 50 compromises per day at peak.

What Makes This Different

The campaign stands out for its sophistication-at-scale approach. Researchers believe AI tools were used to generate unique, bespoke phishing lures — no two emails or domains were identical. Templates ranged from traditional email lures to QR codes and co-opted file-share sites.

"Just the amount of it was like Pandora's Box had opened, and the efficacy was just through the roof," said Rich Mozeleski, product manager for Huntress' identity team.

The Device Code Flow Exploit

The phishing campaign exploits Microsoft's device authentication flow — the mechanism designed for smart TVs, printers, and terminals. Once a victim authenticates through the phished flow, the attacker receives valid OAuth tokens lasting up to 90 days — no password or MFA needed.

Victim Breakdown

Among the 344 confirmed victims: construction companies, law firms, nonprofits, real estate agencies, manufacturers, finance and insurance firms, healthcare providers, and government organizations. Huntress believes the true total could be in the thousands.

Response


4. StoatWaffle Malware Auto-Executes on Developers Via VS Code

🔶 HIGH — Developer Supply Chain Threat

North Korea-linked group WaterPlum is deploying StoatWaffle malware that auto-executes when developers open blockchain-themed project repositories in VS Code — no user interaction beyond trusting the folder.

NTT Security researchers have disclosed StoatWaffle, a new modular Node.js malware that represents a dangerous evolution in the long-running Contagious Interview campaign attributed to North Korean threat actors.

Zero-Click Developer Compromise

StoatWaffle abuses VS Code's runOn: folderOpen task configuration. Attackers embed a malicious .vscode/tasks.json file inside legitimate-looking blockchain project repositories. The moment a developer opens the folder and grants trust, the payload executes automatically — no clicks, no suspicious scripts to run.

Capabilities

Defensive Actions


5. Four Former NSA Directors Warn US Offensive Cyber Edge Is Eroding

📡 RSAC 2026 — Strategic Intelligence

At the RSAC 2026 Conference in San Francisco, four former NSA directors — Generals Keith Alexander, Mike Rogers, Paul Nakasone, and Tim Haugh — shared deep concerns about America's ability to maintain its offensive cyber advantage.

Key Takeaways

Gen. Paul Nakasone warned of a dangerous normalization: "I think we've become numb to it. We continue to see these different intrusions, and intrusions have gotten to a size that the scale is just incredible to me." He cited the brain drain across government agencies and deteriorating private-sector collaboration at CISA and the JCDC.

Admiral Mike Rogers was more pointed: "We're the largest economy in the world. We don't have a single federal privacy framework. We don't have a single major piece of cyber legislation." He warned that without a traumatic event causing "fundamental behavioral change," the complacency will persist.

Gen. Tim Haugh noted that China has replicated US-style government-private partnership intelligence capabilities and pre-positioned itself inside critical infrastructure networks.

Gen. Keith Alexander urged: "We will be challenged in this area. We will fight in this area, and it will be both the government and you all helping to protect this country."


Threat Landscape Summary

ThreatSeverityAction Required
DarkSword iOS exploit leakCRITICALUpdate all iOS devices immediately
VoidStealer Chrome ABE bypassHIGHMonitor for debugger attachments to browser processes
Railway AI phishing campaignCRITICALAudit device code flow policies; block Railway IPs
StoatWaffle VS Code malwareHIGHAudit .vscode/tasks.json; restrict folderOpen tasks
US cyber posture warningSTRATEGICReview public-private collaboration frameworks

Stay Ahead of the Threat Curve

Daily intelligence briefings, real-world attack analysis, and actionable defensive guidance.

Explore KENSAI

— KENSAI Security Intelligence · Published March 30, 2026

Related Articles

Redirecting... DarkSword iOS-spyware gelekt op GitHub bedreigt miljoenen, VoidStealer omzeilt C TeamsフィッシングでA0Backdoor展開、Signalハイジャックキャンペーン