Your iPhone Can Be Hacked by Opening Safari. DarkSword Is Public.

# Your iPhone Can Be Hacked by Opening Safari. DarkSword Is Public.

*March 25, 2026 — DugganUSA Threat Brief*

On March 23rd, someone publicly leaked a complete exploit kit called DarkSword that can compromise approximately 270 million iPhones running iOS 18.4 through 18.7. No user interaction required. Open Safari, visit a page, lose your phone. Six chained vulnerabilities, three of them zero-days, and until yesterday it was the exclusive tool of commercial spyware vendors and intelligence services in Saudi Arabia, Turkey, Malaysia, and Ukraine.

Now it's on the internet for anyone to use.

Google's Threat Analysis Group published the technical breakdown. Apple pushed iOS 19 as the fix. If you're reading this on an iPhone that hasn't been updated in the last 48 hours, stop reading and go update. We'll wait.

What Else Is on Fire

This isn't the only active exploitation happening right now. It's not even the worst by CVSS score. Here's what we're tracking at DugganUSA this week:

**Cisco Firepower Management Center (CVE-2026-20131)** — CVSS 10.0, the maximum possible severity score. Unauthenticated remote code execution as root. The Interlock ransomware gang has been exploiting this since January. If you run Cisco FMC and haven't patched yet, assume compromise and start hunting.

**Three Chrome zero-days in one month** — a CSS use-after-free (CVE-2026-2441), a Skia out-of-bounds write (CVE-2026-3909), and a V8 implementation flaw (CVE-2026-3910). All confirmed exploited in the wild. All in CISA's Known Exploited Vulnerabilities catalog. Chrome auto-updates, but verify.

**Microsoft SharePoint (CVE-2026-20963)** — CVSS 9.8. Deserialization vulnerability. Remote code execution. Added to CISA KEV on March 18th. Microsoft's March Patch Tuesday included 78 vulnerabilities total, including a SQL Server zero-day (CVE-2026-21262).

**Oracle Identity Manager** — Out-of-band emergency patch for unauthenticated RCE. Oracle doesn't do out-of-band patches unless the building is on fire.

The Nation-States Haven't Taken the Week Off

**Iran's Handala group** had four domains seized by the FBI last week. The DOJ formally confirmed what everyone already knew: Handala is the Iranian Ministry of Intelligence and Security (MOIS). They ran justicehomeland.org, handala-hack.to, karmabelow80.org, and handala-redwanted.to. The FBI took them down.

They're already back.

We have 102 Handala-linked IOCs in our STIX feed. Their targets include Israeli energy infrastructure, Jordanian fuel companies, the Clalit healthcare system, and Stryker medical devices. The FBI is also warning about MOIS using Telegram as command-and-control for malware targeting Iranian dissidents.

**China's four typhoons** — Volt, Salt, Flax, and Brass — continue coordinated campaigns against critical infrastructure globally. The FBI reports Salt Typhoon alone has hit 200+ companies across 80 countries. A recent SAP breach is drawing direct comparisons to Salt and Volt Typhoon's tactics. Kimsuky is targeting US Congressional Armed Services, Foreign Affairs, and Intelligence committee staff emails.

The ODNI released their 2026 Annual Threat Assessment this week. The summary: all four primary adversaries — China, Russia, Iran, and North Korea — are escalating cyber operations against US critical infrastructure simultaneously. This is not a drill.

**Russia** is actively phishing WhatsApp and Signal accounts belonging to current and former US government officials, military personnel, political figures, and journalists. The intelligence community has rated Russia as the highest immediate threat for "catastrophic operational disruption" of critical infrastructure.

Supply Chain: The Gift That Keeps on Taking

The developer tool ecosystem continues to be a preferred attack vector:

**GlassWorm** — 72+ malicious Open VSX extensions (the open-source VS Code marketplace alternative) discovered since January 31st. They masquerade as linters, formatters, and AI coding assistants. If you or your team installs extensions from Open VSX, audit immediately.

**Trivy GitHub Actions** — 75 of 76 version tags for TeamPCP's Trivy security scanner were force-pushed with infostealer payloads. This is a re-compromise — a prior supply chain attack wasn't fully remediated. If you pin Trivy actions by tag (which you should for any GitHub Action), verify the commit hash hasn't changed.

**nx npm supply chain** — Stolen keys from the nx package were used to establish GitHub-to-AWS OIDC trust, leading to full cloud admin access in 72 hours. The chain: compromised npm package → stolen OIDC credentials → AWS IAM escalation → complete environment takeover.

Epstein Files: 3.5 Million Pages

The DOJ published 3.5 million pages of Epstein-related records on March 13th, complying with the Epstein Files Transparency Act. This includes 2,000+ videos and 180,000 images. On March 5th, NPR found dozens of withheld FBI interview memos, including one describing an allegation from approximately 1983 involving a minor and Donald Trump. Congress is now exploring new legislation and wants to depose AG Pam Bondi under oath about the handling of these files.

We index and make these files searchable at epstein.dugganusa.com. Free API access at analytics.dugganusa.com.

What to Do Right Now

1. **Update iOS** — DarkSword is public and trivial to weaponize

2. **Patch Cisco FMC** — CVE-2026-20131 is CVSS 10.0 with active ransomware exploitation

3. **Update Chrome** — Three zero-days this month

4. **Patch SharePoint** — CVE-2026-20963 is in CISA KEV

5. **Audit your CI/CD pipeline** — Trivy, nx, and Open VSX extensions were all compromised

6. **Monitor Handala IOCs** — FBI takedown didn't stick. Our STIX feed has 102 indicators.

7. **Check your ODNI threat posture** — Four adversary nations escalating simultaneously

Our STIX 2.1 feed is free and contains 1,027,915 IOCs as of today. The Handala, Interlock, Salt Typhoon, and Volt Typhoon indicators are all indexed. Consume the feed at analytics.dugganusa.com/stix.

*Patrick Duggan is the founder of DugganUSA LLC, a threat intelligence and AI security company in Minneapolis. The DugganUSA STIX feed is consumed by Fortune 500 companies, defense contractors, and independent researchers. Subscribe at dugganusa.com.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →