Malware
- DarkSword: the iOS exploit kit left in the open
DarkSword is a six-CVE iOS exploit kit disclosed March 18 by Google, iVerify, and Lookout -- targeting iOS 18.4-18.7 via watering hole attacks with no user interaction required. Apple has now patched all six zero-days in iOS 26.3. Between 220 and 270 million iPhones were estimated to be exposed. Update now.
- ClickFix MacSync: Fake AI Tool Installers Targeting Developers
Three ClickFix campaigns since November 2025 have been using fake AI tool installers -- including Claude Code impersonations -- to deliver MacSync infostealer via malicious Terminal commands. The attack works because developers are conditioned to trust exactly this workflow.
- The wiper era: why your ransomware IR plan has a gap
Enterprise incident response has been ransomware-centric for a decade. Nation-state proxies using destructive wipers operate on completely different incentives -- and your playbook assumes an attacker who wants something.
- Glassworm: The Supply Chain Attack Hidden in Plain Sight -- Inside Invisible Unicode Characters
Glassworm compromised 151+ GitHub repositories, 72 VS Code extensions, and multiple npm packages using malicious payloads hidden inside invisible Unicode characters that no code reviewer can see. The C2 infrastructure runs on Solana -- it cannot be taken down.
- Slopoly: AI-Generated Malware in a Real Ransomware Attack
IBM X-Force has identified Slopoly: a likely AI-generated PowerShell backdoor deployed by ransomware group Hive0163 in early 2026. It's unsophisticated -- and that's exactly why it matters.
- BlackSanta: The EDR Killer Coming in Through the HR Inbox
Aryaka Threat Labs has documented a year-long campaign by a Russian-speaking threat actor using fake CVs to deploy BlackSanta, an EDR killer that uses a vulnerable kernel driver to blind endpoint security before exfiltrating data from HR systems.