Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: apple (7 articles)Clear

Unpatchable BootROM exploit hits Apple A12 and A13 chips via USB

Researchers at Paradigm Shift published usbliter8, a working exploit that runs unauthorized code inside the SecureROM of Apple's A12 and A13 chips, the boot code burned into the silicon of devices from the iPhone XS through the iPhone 11, plus the S4 and S5 Apple Watch chips. Because the flaw lives in immutable hardware, no software update can fix it, so affected devices stay vulnerable for life. The catch is that it is not remote: an attacker needs physical possession of the device, must put it in DFU mode, and connect it to a special USB board, after which the exploit runs in under two seconds. It succeeds 2019's checkm8.

Check
Assess whether high-risk staff or sensitive workflows rely on older Apple devices with A12 or A13 chips (iPhone XS through iPhone 11), which could be compromised if physically seized or lost.
Affected
Apple devices on A12 and A13 chips, roughly iPhone XS through iPhone 11 plus Apple Watch S4 and S5; exploitation needs physical access and DFU mode, so remote risk is nil.
Fix
There is no software fix. Retire or replace affected older devices for high-risk users, enforce strong passcodes and device encryption, keep physical control of devices, and avoid leaving them unattended.

SHub Reaper macOS infostealer spoofs Apple, Google, and Microsoft in one chain - backdoor, wallet hijack, document theft

SentinelOne has documented a new variant of the SHub macOS infostealer family called Reaper. Victims are lured through fake WeChat and Miro installers hosted on typo-squatted Microsoft domains, then prompted to run what looks like an Apple security update. Reaper avoids macOS Tahoe's new Terminal protections by routing its commands through the applescript:// URL scheme. Once running, it steals browser credentials, crypto wallets, dev configs, iCloud data, and Telegram sessions, replaces legitimate Exodus, Ledger, and Trezor wallet apps with backdoored copies, and installs a persistent fake Google Software Update LaunchAgent that gives the attacker an ongoing remote shell. Files larger than 85MB are uploaded in 70MB chunks.

Check
Hunt macOS endpoints for LaunchAgents named com.google.keystone.agent.plist that point at unsigned scripts in ~/Library/Application Support/Google/GoogleUpdate.app/, and search proxy logs for traffic to hebsbsbzjsjshduxbs.xyz.
Affected
macOS users who can be social-engineered into running an installer or AppleScript prompt outside the App Store. Heavily targets developer, finance, and crypto-holding personas.
Fix
Remove the malicious LaunchAgent and persistence script. Rotate all credentials in the browser keychain, crypto wallets, iCloud, Telegram, and any tokens in shell history or .gitconfig. Enforce MDM blocking unsigned LaunchAgents.

Foxconn confirms cyberattack on North American factories - Nitrogen ransomware crew claims 8 TB stolen including Apple, Intel, Google, Dell, and Nvidia project files

Foxconn confirmed Tuesday that a cyberattack hit several North American factories, with its Wisconsin Mount Pleasant facility halting production for a week starting May 1. Workers were told to power off computers and revert to paper timesheets. Nitrogen ransomware group claimed responsibility, posting 8 TB of stolen data covering 11 million files - allegedly including project documentation tied to Apple, Intel, Google, Dell, AMD, and Nvidia. Foxconn says production is resuming. This is the fourth ransomware attack on a Foxconn entity since 2020.

Check
If your organization is a Foxconn customer sharing technical documentation, audit which projects had files staged at the Mount Pleasant facility between January and May.
Affected
Foxconn customers with data at the Wisconsin facility - Apple, Intel, Google, Dell, AMD, Nvidia, Cisco, Microsoft. Acute: organizations whose chip architecture or data center topology documents were shared for server or AI infrastructure production.
Fix
Contact Foxconn directly to confirm what was exfiltrated. Treat any technical documentation shared with Mount Pleasant since 2024 as potentially exposed. Rotate credentials, API keys, or signing certificates Foxconn held.

Apple pushes emergency iOS patch for notification-storage flaw that let the FBI recover deleted Signal messages (CVE-2026-28950)

Apple released out-of-band iOS and iPadOS updates to fix a Notification Services flaw that kept notifications marked for deletion sitting in internal storage, where they could be pulled off the device later. The bug (CVE-2026-28950) landed after 404 Media reported that the FBI recovered Signal messages from a suspect's iPhone even after the user deleted them and even after Signal itself was uninstalled. The recovered text did not come from Signal's encrypted message store - it came from iPhone's internal notification buffer, which silently preserved incoming notification contents that the app and the OS both thought had been erased. Apple's advisory does not name the FBI case but describes exactly the data-persistence behavior 404 Media documented. Signal's team publicly thanked Apple for the fix. Beyond Signal users, this flaw matters for anyone who assumed that deleting a message or uninstalling an app wiped the underlying notification data from the phone - it did not. Forensic extraction of an unlocked iPhone could have surfaced any sensitive content ever pushed as a notification.

Check
Update any iPhone or iPad you manage (BYOD or corporate) to the patched build and audit MDM compliance reports for devices that have not yet installed the emergency update.
Affected
All iOS and iPadOS builds prior to iOS 26.4.2 / iPadOS 26.4.2, and prior to iOS 18.7.8 / iPadOS 18.7.8 for older devices on the 18.x train.
Fix
Install iOS 26.4.2 / iPadOS 26.4.2 (or iOS 18.7.8 / iPadOS 18.7.8 on supported older hardware). For Signal users who want belt-and-braces protection against any future notification-storage issue, change Signal Settings > Notifications > Notification content to 'Name Only' or 'No Name or Content' so message bodies never appear in the notification stream in the first place.

Apple breaks policy to push DarkSword patches to millions more iOS 18 iPhones

In an unusual move, Apple expanded iOS 18.7.7 to cover far more devices on April 1 - breaking its normal practice of using security updates to push users to the newest OS. Around 20% of iPhones remain on iOS 18 (some by choice, some because they can't run iOS 26), and Apple now considers the DarkSword threat serious enough to backport protections rather than leave those users exposed. The update covers iPhone XR through iPhone 16e and multiple iPad generations. Devices with Automatic Updates enabled get it without user action.

Check
Check your MDM for any managed iPhones or iPads still running iOS 18.4 through 18.7 without the 18.7.7 update.
Affected
iPhones and iPads running iOS/iPadOS 18.4 through 18.7 that haven't received the 18.7.7 update. Roughly 20% of all iPhones are still on iOS 18.
Fix
Push iOS 18.7.7 via MDM or ensure Automatic Updates is enabled. For maximum protection, upgrade to iOS 26.4 or enable Lockdown Mode on high-risk devices. Apple confirms Lockdown Mode blocks DarkSword attacks.

macOS Tahoe 26.4 blocks ClickFix paste attacks in Terminal - update your Mac fleet now

Apple shipped an undocumented security feature in macOS Tahoe 26.4 that directly targets ClickFix attacks - the social engineering technique behind the Infinity Stealer campaign we covered last week. When a user tries to paste a potentially harmful command into Terminal, macOS now intercepts it with a warning before anything executes. The feature only covers Apple's built-in Terminal app, not third-party alternatives like iTerm2. A 'Paste Anyway' option remains for power users.

Check
Check if your Mac fleet is running macOS Tahoe 26.4 or later.
Affected
Any macOS user on versions prior to 26.4 who may encounter ClickFix social engineering attacks via fake CAPTCHA pages or tech support sites.
Fix
Update to macOS Tahoe 26.4. Push the update via MDM for managed fleets. Train staff to never paste commands from websites into Terminal regardless of the prompt - the protection only covers Terminal.app, not third-party terminals.

DarkSword iOS exploit kit leaked on GitHub - hundreds of millions of unpatched iPhones at risk (CVE-2026-20700)

A government-grade iPhone hacking toolkit called DarkSword was leaked on GitHub on March 23 - and researchers say it's trivially easy to use. Written entirely in HTML and JavaScript, anyone can host it and hack iPhones running iOS 18.4 through 18.7.1. It chains six vulnerabilities including three zero-days for full device takeover, stealing messages, location data, and crypto wallets. Roughly a quarter of all iPhones remain on vulnerable versions.

Check
Check all company iPhones and iPads for outdated iOS versions.
Affected
iOS 18.4 through 18.7.1. Also iOS 13 through 17.2.1 via the related Coruna exploit kit.
Fix
Update to iOS 18.7.2 or later (or iOS 26.3). Enable Lockdown Mode on high-risk devices. Push MDM policies to enforce updates.