When iPhone exploits turn into commodities

A sophisticated iPhone exploit kit known as DarkSword has escaped the world of targeted espionage and landed in public view—leaked on GitHub in a form that researchers say is trivial to repurpose and deploy. With the barrier to entry collapsing to “copy, paste, host,” the immediate concern is no longer whether advanced actors can use it, but how quickly criminal groups and opportunistic attackers will operationalize it against the enormous population of out-of-date iOS devices.


In this episode, Jame’s Michael Covington joins us for a practitioner-level breakdown of what the DarkSword leak changes, who’s exposed, and what defenders can do right now. We dig into the real enterprise blast radius for organizations with BYOD and partially managed fleets, what meaningful detection and response looks like on iOS when visibility is limited, and how to prioritize patch enforcement, quarantine decisions, and Lockdown Mode for high-risk users. We also zoom out to the bigger pattern: highly capable mobile exploitation frameworks (including recent reporting on Coruna) increasingly surfacing outside tightly controlled circles—reshaping the threat model for Apple devices in the enterprise.

In our reporter chat, Greg talks with Matt Kapko on what they heard during their many conversations during their time at the RSAC 2026 Conference.