DarkSword iOS Spyware Leaked on GitHub Threatens Millions, VoidStealer Bypasses Chrome Encryption, AI Phishing Via Railway Hits Hundreds
DarkSword iOS exploit kit leaks on GitHub, potentially democratizing nation-state iPhone hacking for the masses. VoidStealer malware pioneers a stealthy debugger-based technique to bypass Chrome's Application-Bound Encryption without admin privileges. An AI-powered phishing campaign abusing Railway's platform compromises hundreds of organizations in weeks. StoatWaffle malware auto-executes on developers through VS Code. Four former NSA directors warn US offensive cyber edge is eroding.
1. DarkSword iOS Exploit Kit Leaked on GitHub — Hundreds of Millions of iPhones at Risk
⚠ CRITICAL — Mass Exploitation Risk
A version of the DarkSword iOS exploit kit has been published on GitHub, potentially putting hundreds of millions of iOS 18 devices at risk of compromise. CISA has added the exploited vulnerabilities to its Known Exploited Vulnerabilities catalog.
Cybersecurity researchers are raising urgent alarms after a version of the DarkSword iOS spyware exploit kit appeared on GitHub — a development first reported by TechCrunch and subsequently analyzed by Google and iVerify. The leak follows the earlier discovery of DarkSword targeting devices in Ukraine, Saudi Arabia, Turkey, and Malaysia, and comes on the heels of the related Coruna iOS exploit kit uncovered weeks prior.
Why This Matters
iPhone exploits have historically been among the most expensive to develop, making them the domain of nation-state actors. Allan Liska, field CISO at Recorded Future, warned the leak could "democratize" iPhone exploitation: "If anyone can exploit an iPhone, suddenly something that has managed to be relatively secure now is a much bigger attack surface."
Rocky Cole, co-founder of iVerify, was blunt: "It's extremely alarming that this leaked out on GitHub. I would assume that it's being used all around the world, including here in the United States."
Scale and Urgency
- Up to 25% of all iPhones are still running iOS 18 — hundreds of millions of devices
- Users may be avoiding upgrades due to iOS 26's AI features or the Liquid Glass interface
- Coruna was potentially wormable — capable of spreading via text messages to a phone's entire contact list
- CISA has added DarkSword-exploited vulnerabilities to its KEV catalog, mandating federal patching
Defensive Actions
- Update all iOS devices immediately — patched devices are not at risk
- Enable Lockdown Mode on iPhones used in high-risk environments
- Deploy mobile threat detection solutions that inspect for exploit indicators
- Monitor for anomalous device behavior, especially on older iOS versions
2. VoidStealer Malware Bypasses Chrome's Application-Bound Encryption
🔶 HIGH — Novel Browser Encryption Bypass
A new infostealer called VoidStealer has found a way to bypass Chrome's Application-Bound Encryption (ABE) without admin privileges or code injection, using a stealthy debugger-based technique seen in the wild for the first time.
Chrome's Application-Bound Encryption (ABE), introduced in Chrome 127 in 2024, was designed to lock sensitive data like passwords and cookies behind encryption tied to a privileged system service. Previous bypass techniques all required admin privileges. VoidStealer has changed that equation.
How the Bypass Works
According to Gen researcher Vojtěch Krejsa, VoidStealer takes a "surgical" approach: it attaches as a debugger to the Chrome process and places hardware breakpoints on a precise instruction in Chrome's decryption flow. When Chrome momentarily decrypts the v20_master_key in memory, VoidStealer intercepts it using standard debugging APIs.
Hardware breakpoints operate through CPU registers rather than modifying code, leaving memory untouched. This makes the technique significantly stealthier than injection-based methods.
Rapid Evolution
- VoidStealer appeared in December 2025 and has already gone through 12 iterations
- Latest version v2.1 was released on March 18, 2026
- Operates as a Malware-as-a-Service (MaaS) model
- Supports multiple fallback bypass techniques if the debugger method fails
Detection Guidance
- Monitor for unexpected debugger attachments to browser processes
- Alert on unusual use of memory-reading APIs targeting Chrome
- Watch for anomalous Chrome process spawning patterns
- Traditional injection-focused EDR rules will not catch this technique
3. AI-Powered Phishing Campaign Via Railway Compromises Hundreds of Organizations
⚠ CRITICAL — Active Mass Compromise
An AI-powered phishing campaign leveraging Railway's Platform-as-a-Service has compromised hundreds of organizations' Microsoft cloud accounts, with attackers exploiting device authentication flows to gain 90-day OAuth token access without passwords or MFA.
Researchers at Huntress have uncovered a phishing campaign tied to Railway's PaaS infrastructure that has given attackers access to the Microsoft cloud accounts of hundreds of businesses in just weeks. The tempo accelerated dramatically starting March 3, with more than 50 compromises per day at peak.
What Makes This Different
The campaign stands out for its sophistication-at-scale approach. Researchers believe AI tools were used to generate unique, bespoke phishing lures — no two emails or domains were identical. Templates ranged from traditional email lures to QR codes and co-opted file-share sites.
"Just the amount of it was like Pandora's Box had opened, and the efficacy was just through the roof," said Rich Mozeleski, product manager for Huntress' identity team.
The Device Code Flow Exploit
The phishing campaign exploits Microsoft's device authentication flow — the mechanism designed for smart TVs, printers, and terminals. Once a victim authenticates through the phished flow, the attacker receives valid OAuth tokens lasting up to 90 days — no password or MFA needed.
Victim Breakdown
Among the 344 confirmed victims: construction companies, law firms, nonprofits, real estate agencies, manufacturers, finance and insurance firms, healthcare providers, and government organizations. Huntress believes the true total could be in the thousands.
Response
- Huntress pushed conditional access policy updates to 60,000 Microsoft cloud tenants blocking Railway domains
- Railway banned associated accounts and blocked implicated domains
- Organizations should audit device code flow policies and restrict them to managed devices only
- Review OAuth token grants for anomalous Railway IP-sourced authentication events
4. StoatWaffle Malware Auto-Executes on Developers Via VS Code
🔶 HIGH — Developer Supply Chain Threat
North Korea-linked group WaterPlum is deploying StoatWaffle malware that auto-executes when developers open blockchain-themed project repositories in VS Code — no user interaction beyond trusting the folder.
NTT Security researchers have disclosed StoatWaffle, a new modular Node.js malware that represents a dangerous evolution in the long-running Contagious Interview campaign attributed to North Korean threat actors.
Zero-Click Developer Compromise
StoatWaffle abuses VS Code's runOn: folderOpen task configuration. Attackers embed a malicious .vscode/tasks.json file inside legitimate-looking blockchain project repositories. The moment a developer opens the folder and grants trust, the payload executes automatically — no clicks, no suspicious scripts to run.
Capabilities
- Modular framework: Loader → Credential harvester → RAT
- Browser theft: Steals stored credentials and extension data from both Chromium and Firefox
- macOS Keychain: Targets Keychain databases on Apple systems
- RAT commands: Shell execution, file operations, Node.js code execution, C2 communications
- Cross-platform: Works on Windows, macOS, and Linux
Defensive Actions
- Audit
.vscode/tasks.jsonfiles in all cloned repositories before opening - Disable or restrict
runOn: folderOpenin VS Code settings - Treat blockchain project repository invitations with heightened scrutiny
- Monitor for anomalous Node.js process spawning from VS Code
5. Four Former NSA Directors Warn US Offensive Cyber Edge Is Eroding
📡 RSAC 2026 — Strategic Intelligence
At the RSAC 2026 Conference in San Francisco, four former NSA directors — Generals Keith Alexander, Mike Rogers, Paul Nakasone, and Tim Haugh — shared deep concerns about America's ability to maintain its offensive cyber advantage.
Key Takeaways
Gen. Paul Nakasone warned of a dangerous normalization: "I think we've become numb to it. We continue to see these different intrusions, and intrusions have gotten to a size that the scale is just incredible to me." He cited the brain drain across government agencies and deteriorating private-sector collaboration at CISA and the JCDC.
Admiral Mike Rogers was more pointed: "We're the largest economy in the world. We don't have a single federal privacy framework. We don't have a single major piece of cyber legislation." He warned that without a traumatic event causing "fundamental behavioral change," the complacency will persist.
Gen. Tim Haugh noted that China has replicated US-style government-private partnership intelligence capabilities and pre-positioned itself inside critical infrastructure networks.
Gen. Keith Alexander urged: "We will be challenged in this area. We will fight in this area, and it will be both the government and you all helping to protect this country."
Threat Landscape Summary
| Threat | Severity | Action Required |
|---|---|---|
| DarkSword iOS exploit leak | CRITICAL | Update all iOS devices immediately |
| VoidStealer Chrome ABE bypass | HIGH | Monitor for debugger attachments to browser processes |
| Railway AI phishing campaign | CRITICAL | Audit device code flow policies; block Railway IPs |
| StoatWaffle VS Code malware | HIGH | Audit .vscode/tasks.json; restrict folderOpen tasks |
| US cyber posture warning | STRATEGIC | Review public-private collaboration frameworks |