DarkSword iPhone exploit kit leaks on GitHub

A hacking tool dubbed DarkSword that was previously seen in targeted attacks against iPhone users has now turned into something closer to consumer software. Researchers told TechCrunch that a newer version of the exploit kit was posted publicly on GitHub, making it possible to compromise older iOS and iPadOS devices that have not been updated to Apple’s latest iOS 26 release.

According to TechCrunch, iVerify co-founder Matthias Frielingsdorf said the leaked package is “way too easy to repurpose” and can be deployed with little specialist knowledge. The files are described as simple HTML and JavaScript that can be copied and hosted quickly, with “out of the box” functionality. A security hobbyist using the handle matteyeux said he was able to hack an iPad mini running iOS 18 using a DarkSword sample circulating online.

Apple’s response, via spokesperson Sarah O’Rourke, was to point back to patching discipline: updated devices are not affected by the reported attacks, and Lockdown Mode blocks these specific techniques. Apple also issued an emergency update on March 11 for devices that cannot run recent iOS versions, acknowledging that the vulnerable population includes users stuck on older software.

The bigger shift is not one more iOS bug, but how exploitation is being packaged and distributed. When exploit code is bundled into a kit with comments, payloads, and ready-made exfiltration routines, the scarce resource stops being vulnerability research and becomes distribution and targeting. TechCrunch reports that the code includes instructions for stealing “forensically-relevant files” and references to post-exploitation collection of contacts, messages, call history, and the iOS keychain—material that can be monetized through account takeover, fraud, and coercion.

Publishing on GitHub also changes the supply chain for offensive code. Even if repositories are removed, mirrors proliferate; the practical problem becomes how fast the kit spreads compared with how fast users update. Apple’s own device-update statistics—cited by TechCrunch as implying hundreds of millions of active devices remain out of date—turn that lag into a predictable addressable market for criminals.

For Apple, bug bounties and rapid patch releases compete with a parallel market where the payoff is highest when a working exploit reaches the widest set of unpatched devices. For users, the cost of that market is paid in forced upgrades, shortened device lifecycles, and the reality that “unsupported” increasingly means “targetable.”

The leaked DarkSword files are small enough to be hosted in minutes. The devices most at risk are the ones still waiting to install an update.