Billion-iPhone Backdoor: One Image File Hijacks Every iOS Device Ever Sold

TL;DR

• Apple Patch CVE-2026-20700 to Fix Memory Corruption Zero-Day Exploited Since December 2025
• Lazarus Group Poisons npm and PyPI with Malicious Packages Targeting Blockchain Exchanges

🍏 CVE-2026-20700: Apple’s dyld 0-day left 58% of U.S. iPhones open for 2-month spy fest

42% of iPhones patched in 24h—wow, Apple fans move faster than a caffeinated squirrel on Black Friday 🐿️ But 58% still naked to nation-state peeping-toms for TWO months while dyld got pwned. Update or keep handing your nudes to spyware vendors—your call, US. When will we stop treating 0-days like surprise drop culture?

For two straight months, nation-state crews and commercial spyware peddlers treated Apple’s core dynamic-link editor, dyld, like their personal sandbox. CVE-2026-20700—an unchecked memory-write flaw—let them scribble whatever code they wanted onto iPhones 11-and-newer, current iPads, Macs on macOS Tahoe 26.x, Vision Pro, Apple Watch 6+, and even the living-room Apple TV. Google’s Threat Analysis Group finally rang the bell on 12 Feb 2026; Apple shipped an emergency patch the same day. Telemetry shows 42 % of iPhones updated within 24 hours, but only 18 % of Macs have bothered so far, leaving millions of endpoints still holding the door open.

How did the attack work?

• Entry: malicious app or web content triggers dyld with a rigged memory-write primitive
• Escalation: dyld trusts the input, copies attacker code into a privileged region, then executes it
• Payload: spyware implants, credential harvesters, and persistence tools ride in without a password prompt

What it already cost us

• Espionage: targeted individuals in the U.S. and Taiwan report unexplained credential leaks since December
• Enterprise risk: unmanaged macOS fleets remain 82 % exposed, turning “Bring-Your-Own-Device” into “Bring-Your-Own-Backdoor”
• Reputation: Apple’s first in-the-wild zero-day of 2026 arrives just seven weeks into the year, matching 2025’s full count of seven patched zero-days

Institutional response & gaps

Observed

• Apple compressed patch build-to-release to 48 hours, pushing updates across six operating systems simultaneously

Still missing

• No public indicator-of-compromise list; defenders must reverse the fix themselves
• Delayed detection: Google saw exploits in December, Apple learned in February—a two-month gift to intruders

Outlook

• Next 90 days: expect C2 traffic spikes as bot herders cash in on stragglers; SOC teams will scramble for dyld crash-log signatures
• 2027 and beyond: Apple is expected to wrap dyld in pointer-authentication and hardened allocators; NIST draft publications will likely add “dynamic-loader hardening” to incoming AI-Sec and IoT guidelines

Patch today, log dyld crashes tonight, or keep handing your users’ data to whoever can buy a $2 million exploit chain before breakfast.

💥 12 000 npm Installs: Lazarus Fake-Recruiter Poison Pipelines Globally

12k devs got punked by a fake LinkedIn recruiter & a "math" package—npm install just cost exchanges $5M in API keys 💥 That’s 3 RATs for the price of one job interview. Your CI pipeline still trusts strangers?

North Korea’s Lazarus Group just smuggled three Trojan horses—written in JavaScript, Python, and good-old VBScript—into npm and PyPI under the alias “graphalgo.” The bait: fake recruiter coding tests. The prize: API keys and wallet seeds from crypto exchanges. More than 12,000 installs later, two mid-size trading shops have already coughed up credentials, setting the stage for eight-figure fraud.

How Does the Poison Flow?

1. Victim lands a “job interview” on LinkedIn or Reddit.
2. Interviewer says, “Install bigmathutils and duer-js, then solve this algo.”
3. One npm install or pip install drops an 85-130 kB obfuscated loader.
4. Loader phones home via token-rotating HTTPS, fetches RSA-2048-encrypted RAT.
5. RAT scrapes ~/.ssh, env vars, browser storage; opens reverse shell; ships out secrets.

Impact Scorecard

• Confidentiality: Exchange API keys + wallet seeds exposed → unauthorized trades or straight wallet drain.
• Integrity: Live order books and price feeds now forgeable → market manipulation risk.
• Availability: RAT can kill trading nodes → halts matching engine, customer outrage.
• Business: Prior breaches of this size cost $1-5 M in hot-wallet losses + legal fallout.
• Regulatory: GDPR/CCPA breach notices, plus SEC/FINRA cyber exams if U.S. customers hit.

What Got Done—And What’s Still Missing

Observed

• GitHub, JFrog yanked the packages within 24 h of disclosure.
• Major mirrors flipped on SHA-256 signature checks.
• Red-team rules now flag “npm install” during HR Zoom calls.

Still Missing

• No mandatory sigstore signing for new uploads.
• No isolated sandbox for candidate code tests.
• No outbound TLS token monitoring in most SOCs.

Timeline: From Now to “Oh No, Again?”

• Next 3 months: Blacklists harden; CI pipelines reject unsigned deps; SOC alerts spike.
• 2026 Q4: First copy-cat campaign targeting GitHub Actions (probability >70%).
• 2027: Container-base-layer poisoning overtakes package registries as Lazarus’ favorite lane—unless reproducible builds and SBOM checks become default.

Bottom line: Lazarus proved that “just run this quick install” is now a $5 million question. Until every dependency arrives signed, sandboxed, and provenance-checked, your next coding interview might double as a bank heist.

In Other News

• FBI Investigates Chinese Spies for Starlink Data Interception in France
• OpenAI Faces Potential California Fines for GPT-5.3-Codex Safety Violations