DarkSword iOS exploit leaks

A public fork labeled ret2ntr/darksword on GitHub contains an Objective‑C reimplementation, a README that lists build/run instructions and claims support for iOS <=26.0.1. (github.com — ) Google’s Threat Intelligence Group says DarkSword is a full‑chain exploit observed since at least November 2025 that targets iOS 18.4–18.7, leverages six distinct vulnerabilities, and delivers three final‑stage malware families named GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. Security advisories and vendor writeups show the DarkSword chain includes browser → sandbox escape → privilege escalation → kernel compromise stages that enable in‑memory, fileless post‑exploit behavior to evade detection. The U.S. CISA added three Apple CVEs tied to DarkSword (CVE‑2025‑31277, CVE‑2025‑43510, CVE‑2025‑43520) to its Known Exploited Vulnerabilities list on March 20, 2026 and set an April 3, 2026 remediation deadline for federal civilian agencies. Apple has pushed “Critical Software” Lock Screen notifications to devices running older iOS builds and told users the alerts warn about web‑based attacks linked to exploit kits including Coruna and DarkSword. Industry analysts warn the public GitHub release lowers barriers to entry for exploit deployment and could “democratize” iPhone exploitation that was previously nation‑state‑level work, with experts noting rapid reuse across disparate actors. Google says it reported DarkSword vulnerabilities to Apple and added delivery domains to Safe Browsing, and multiple vendors including Lookout are advising immediate updates or Lockdown Mode where updates aren’t possible.