DarkSword Exploit Threatens iPhones Still Running iOS 18

Apple should allow all iDevices to update to 18.7.6.

Just want to add some personal experience. If you like to read blogs, personal websites, and other stuff put online by individuals and small organizations, as I do, keep in mind that these sites can pickup malware via their publishing systems. For example, an outdoors blog I used to read got infected through a Wordpress exploit (fortunately, the Sophos on my iMac put up a warning and blocked anything from happening).

An additional risk is that unlike with big commercial publishers, a breach can go unnoticed or unfixed for a long time, especially if a website is run by volunteers or as a hobby.

Thanks for the detailed, plain language and sane report @ace !

If a user is not using Safari on iOS 18.x, are they at risk?

How can users know which sites are infected if not using Safari?

I need to research what this is some more, found a couple of sites saying Google is collecting user data as well, in the process of providing warning about known compromised urls…

Does simply turning off JavaScript disarm the Sword?

I have two devices that are old with weak batteries. That is why they have not been upgraded to iOS 26.

One device (iPhone SE 2022) got a new battery installed a few days ago in anticipation of doing an upgrade. The other device (iPad Mini 5) has not been serviced yet so I put it into Lockdown Mode. I haven’t noticed much of an issue yet other than a few web fonts.

Let’s be entirely clear: all of this could be avoided if Apple didn’t try to strong-arm their paying customers into upgrading to 26. Just offer the patched 18.x to whoever wants it and be done with it.

This leaves me unsure whether my iPhone running version 18.7.2 is protected. Several statements in the article seem somewhat inconsistent with regard to 18.7.2.

Sounds like 18.7.2 is safe, being later than 18.7.

Also seems to indicate 18.7.2 is safe.

This tells me 18.7.2 is vulnerable!

If you read the Google document that Adam linked, there were a couple of javascript exploits patched with 18.7.3, so I would suspect that 18.7.2 is vulnerable.

Since all browsers in iOS are based on the Webkit engine, my guess is yes.

good point @silbey , thanks, I think I have read that somewhere, but also I thought I read last year there are now iOS browsers that are not required to use Webkit.

Would RSS readers be subject to DSword? I am not clear how they work under the hood, some include some kind of web browser for when a user wants to look at the originating page, but otherwise… Hm.

I don’t think so.

Do you live in the EU?

I managed to get 18.7.3 on my iPhone 13 mini through the beta program. DarkSword is the first thing that has made me seriously consider downgrading to iOS 26.

I’ve been wondering about that also.

Here’s my understanding, based on reading the documents that Adam linked to. (Note I’m not a security expert and some of my statements below may be wrong.)

DarkSword is a chain of exploits. The Google document has a diagram (Figure 20) that shows the sequencing:

The process starts at the top when the user loads an infected page in the web browser. The information is stolen from the phone when the final “payload” steps at the bottom are run.

If I read the document correctly, in iOS 18.7.2, the vulnerabilities in the upper part of the diagram are present, but Apple fixed the security issues that allow the last two steps at the bottom of the diagram (GPU Sandbox Escape CVE-2025-43510 and Local Privilege Escalation CVE-2025-43520).

So I think there is a break in this complete chain of exploits on iOS 18.7.2, the final payload isn’t run, so data isn’t stolen from the device. But I’m not sure! (Corrections welcome.)

I don’t know if we should feel reassured by this analysis. Although this particular exploit chain may not be fully functional on iOS 18.7.2, clearly many other security flaws remain.

And, to me, the really bad news is the apparent shift from “sophisticated attacks that combine multiple exploits take significant time and expertise to develop and are typically the domain of nation states, used against targeted individuals” to “sophisticated attacks are now being sold to multiple groups that use them to attack indiscriminately for financial gain”. I’m not a journalist, activist or politician, so I thought my risk was relatively low. But if the attacks are no longer highly targeted, I need to reconsider. The iVerify page has an estimate that 270 million people may be running versions of iOS that are vulnerable to DarkSword.

Although I was hoping to avoid Liquid Glass for a while longer, I think I may update to iOS 26. I’m not happy about any of this, but I’m very grateful to Adam for the alert.

Ashley, I looked at the other two investigations linked by @ace.

Lookout has a complex and fragmented analysis without a clear conclusion regarding which systems are safe.

iVerify makes an unambiguous statement in their Final Word section that reads:

We strongly recommend updating to iOS 18.7.6 or iOS 26.3.1. This will mitigate all vulnerabilities that have been exploited in these attack chains. Furthermore, these exploits would not be effective without additional bypasses on devices where Lockdown Mode is active or on the iPhone 17 with Memory Integrity Enforcement (MIE) enabled.

Based on that, I am inclined to think it not wise to interpreted the info and chart from Google as possibly meaning 18.7.2 is safe. Rather, that 26.3+ is the only sure bet for any devices that can run iOS 26.

Hmmm, I wonder how long I could go without using Safari since that and browsing websites is the vector?

indeed. But I haven’t tried any of the new versions or app stores etc.

Maybe a while if you have access to iPad or Mac or other OS devices (this seems to be iOS only).

I don’t browse much with iPhone but I might try turning off JavaScript and see if it interrupts what I’m browsing.

Another question occurred as I wrote, many Apps connect to internet for their functionality, are they also using WebKit such that this is not a Safari App issue so much as a WebKit or internet access issue…? I don’t know enough about the inner workings to know, am trying the gauge the threat in my use case…

I think that’s consistent with what I’m trying to to say. iOS 26.3.1 fixes all vulnerabilities shown in the chart. However, iOS 18.7.2 fixes some of the vulnerabilities - the ones used in the final stages of the attack. One broken link in the sequence breaks the whole chain. So I think this exploit chain won’t run all the way to the end (and steal data) on iOS 18.7.2.

But the chain could be modified (your iVerify quote mentions “additional bypasses”).

So although I think DarkSword in this current form doesn’t work on my iPhone, I’m updating anyway, because I agree that the only sure bet is iOS 18.7.6 (sadly not available to my iPhone 13 mini) or iOS 26.3.1.

The DarkSword exploit chain is apparently now available on GitHub:

The files uploaded to GitHub are uncomplicated, just HTML and JavaScript, he said, meaning anyone can copy and paste them and host them on a server “in a couple minutes to hours.” “The exploits will work out of the box,” Frielingsdorf said. “There is no iOS expertise required.”

Yikes.

(From this TechCrunch article, via Nick Heer.)

I second that, and thank you to Adam for “waiting” while I checked my iOS version number

Thanks to that check I realised that, while I’m on 18.6.2, the ONLY option offered is upgrading to iOS 26 - which I really didn’t / don’t want to do.

In MacOS I have been offered MacOS 15 updates even though MacOS 26 is available, which I think is the right approach.

It’s a cat and mouse game. You’re never totally safe. You might be temporarily safe until the next exploits are discovered. Who is to say there aren’t also exploits discovered and in use on 26.3.1 that are yet to be disclosed? We just don’t know.

Personally, I’m OK with my status.

It seems ad blockers could block the filenames in this exploit. But that’s just another cat and mouse game.

I do wish Apple would allow 18.x.x upgrades for longer than they did, especially given the Liquid Glass concerns, which I find much more worrisome than visiting a compromised website.

It seems that Apple is emphasizing the importance of updating older software more than it usually has. I notice that it even informed users of some old iOS versions to expect a “Critical Security Update” in the “next few days,” something that Apple very rarely does.

Well, now we know how long my “I will resist Liquid Glass for as long as I can” actually lasted.

I just upgraded last night (thank you Adam, btw!), and so far it’s not bad, a few probably unnecessary visual fancy things (the distorted transparent folder icon things is weird, I mean when you slide the home pages or whatever they are called these days, and a background visual pulse when I tap the volume bar in the Sonos app) and the icons are strange, but not as bad as I had feared (yet).

We are far beyond the days of my first Mac, a Plus with no hard drive and with an external floppy in 1988. It was pretty awesome!

Or, just generally, sites run by small organizations seldom have the resources or knowledge to maintain as strong security as larger organizations. There are, of course, counter examples in both directions.

As others have said, since all browsers (or nearly all) use WebKit, yes, they’ll be vulnerable. And seriously, don’t overthink this. You can upgrade or turn on Lockdown Mode, but anything else is likely to let you down eventually.

Please don’t make unsupported accusations about such behavior—that’s how misinformation spreads.

As far as I’m aware, there’s no way to turn off JavaScript in Safari in iOS. Lockdown Mode does some of that. It’s possible that other browsers that still rely on WebKit could turn off JavaScript, but I suspect that would render many websites nonfunctional.

It’s not, at least in theory—the waffling is because there’s a difference in what was targeted, when Apple started and finished fixing the bugs, and what was detected by different researchers. 18.7.3 is the earliest version that has all the fixes. You may be able to get that by signing up for the beta program, or you can just upgrade to 26.3.1.

I doubt it because they aren’t executing JavaScript.

My suspicion is that non-browser apps are not vulnerable because, again, they’re not going to be executing JavaScript from arbitrary Web pages.

Good to hear! That’s where my test iPhone SE is as well, but it has been there for a while.

This is really problematic, and more support for why staying up to date is important.

Settings > Apps > Safari > Advanced > JavaScript

I also agree that would break the majority of sites, so it’s a double-edged sword (pun intended!)

Is that always true? I stopped using dedicated RSS clients a while ago in favor of a web-based aggregator, but my recollection is that most RSS clients capable of rendering HTML had JavaScript toggles.

<iVerify: We strongly recommend updating to iOS 18.7.6 or iOS 26.3.1. This will mitigate all vulnerabilities that have been exploited in these attack chains.>

My iPad Air 5 says I need to delete 15 gigs before IOS 23 can be installed. Right now I am on 18.7.3. How do I get 18.7 6?

Unfortunately, you can’t get to 18.7.6 on your iPad. Apple only is supporting updates to OS 26 for your model.

I think you’re okay with 18.7.3:

Sorry, you’re 100% right, or more. The initial sites I read on this dated back to 2019 and were more or less copied by other sites into 2024 so I started to think it wasn’t actual reality but then I chanced upon a fairly reputable page noting at least one aspect of ‘safe browsing’.

Legal - Safari & Privacy- Apple Fraudulent Website Warning:

…Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Apple to check whether the website is fraudulent or malware has been detected. For users with China mainland… The actual website address is never shared with the safe browsing provider. Google (and, for users with China…) may also log your IP address when information is sent to them…

(bold type by me for emphasis).

As an aside on the ‘safe browsing’ updates, Safari seems to do this on the Mac by itself, whether user uses Safari or not. I posted another topic a while ago about finding Safari running even though I hadn’t launched it or used it in years. Using Little Snitch I narrowed down the likely cause to Safari launching itself to check in with Google’s safe browsing database.

Now back to the regularly scheduled discussion of the actual Topic…

I would like to confirm that Liquid Glass is no problem after changing many of the key settings that @ace described. And I also chose to have a solid olive color as wallpaper. (I do not remember if the article mentioned this, but it makes a big difference in the positive direction.)

What are the actual, real world dangers for someone like me? I don’t do any real “work” on my phone. I just make phone calls (gasp! That gives away my age), read and sometimes respond to emails, text with my wife and daughter and a couple of friends, and get driving directions. That’s about it. Anything real I do on my Mac or my iPad. My phone is maxed out at 18.6.2 (other than 26). Thank you all very much.

Is there any way to force 18.7.6 to be available to an iPhone 15 Pro? I’m trying to avoid 26. Maybe I’m nuts?

I’m not sure if this will really be a thing, but I suppose people could start sending messages to random phone numbers if they can figure out how to use that method now that the exploits are on GitHub.

Most message attachments are loaded and evaluated on iOS even without viewing them. In that case, perhaps turning on lockdown mode is the best choice, just to be safe?

Sorry, no. There are no more updates to iOS 18 or any other older version for any phone that can run iOS 26. Apple has done this every year for a long, long time.

Folks, 26 is fine. A bit annoying and I get it, but as opposed to having your entire life knowledge stripped from your phone? Is that less valuable than having a perfectly curved window sizing area? “I lost my credit cards but I have good UI” does not seem a reasonable trade balance.

True, if you have a modern iPhone with a strong battery. Older phones, although capable of running 26, may have issues especially with an old/weak battery.

That’s why I put my iPad mini 5 all of our iDevice in Lockdown mode. Seems fine to me.

If your battery is weak and you want to keep using the phone, replace the battery.

I’ve had no issues and I’ve not seen any general outcry about battery life with 26. What’s the tradeoff for you between lost battery life and your bank accounts being looted?

He did on one of his devices, and plans to on the remaining device

Also

“Reduce Transparency actually drains battery”
https://forums.macrumors.com/threads/reduce-transparency-actually-drains-battery.2467830/

@byrds71
Since the exploit steals data from phones and the types of data stolen probably will expand beyond what’s been discovered by security professionals so far, “real world dangers” for you include:

• The phone numbers you call are stolen. Criminals call your friends and family with scams and phishing attempts.
• The email addresses you send and receive emails to and from are stolen. Spammers send emails to the addresses. Criminals send your friends and family scams and phishing attempts.
• If your phone is connected to iCloud, criminals get access to your Calendar and Contacts. The information is used to attempt to scam or phish you.
• Your location history is used to identify your house and other places, such as your bank, you go to frequently.
• Photos and videos can be used with generative AI in attempts to impersonate you with call center and customer service workers.

I think an important consideration in personal security is one’s personality. For example, people who are trusting, people who tend to be people-pleasers, and people who panic easily in unexpected or crisis situations will benefit from being proactive, rather than reactive, when it comes to protecting their computers, tablets, and phones.

Does anyone know what “compromised website” actually means? I mean, are we talking CNN.com or BillsPersonalCreepyWebsite.com? I understand that these are the extremes, but has anyone or any organization done an analysis of the types of infected sites? And is there a telltale code that indicates infection? I’m not super technical, just curious.

Any web site that hosts the malware. This can include:

• Sites run by the scammers (maybe due to typosquatting or DNS hacks)
• Advertisement injections
• Legitimate sites that were hacked via unrelated security holes

In other words, it could be anything.

Those actually are not extremes. If you look for stories about compromised websites on either a traditional search site (i.e. Google) or a generative AI site (such as Perplexity), you can see that all types and sizes of websites have been under attack for years. Attackers are opportunistic and will exploit any weakness on a website/blog/cloud service, no matter who runs it, if it fits their objectives.

Drat! I thought it might be possible, so I actually went looking—and did a search in Settings—before I wrote that. Thanks for reminding me of the right location.

IP addresses aren’t particularly private information—every website you visit logs your IP address—so while Apple is not wrong to mention it, I wouldn’t be worried about it. What Apple is saying there that’s important is that Safari doesn’t share the address of the website you’re visiting with Google. It’s just doing a blind match with the Safe Browsing database.

Again, it’s way too easy to overthink this stuff. For most people, most of the time, being warned about fraudulent websites is a very good thing.

Although none of the security researchers mention the iPad, it seems likely that the exploits that work against the iPhone will either work or can be tweaked to work against the iPad. So even if your iPhone is used for nothing beyond phone calls, if you have more sensitive information on the iPad, it could also be vulnerable.

One way to think about this is that the DarkSword payload can pretty much do anything a person with your passcode can do because it can operate with elevated privileges. So it can access all your passwords, photos, emails, messages, etc. Again, if phone calls are all you do, that’s probably just contact info.

Is there any way to determine if a device has been compromised by DarkSword?

I tried to read the linked articles but the InfoSecSpeak was hard to follow.

iVerify has an app that they suggest can detect it, but it’s so understated in the press release that I wonder.

I just tried that app: triggering sysdiagnose is the hard part. Then you share the file to the app and it uploads to their server. I will let you know my results when it has finished processing!

image1206×1023 35.5 KB

Unless the iVerify app works, the reporting so far indicates that DarkSword does not leave any traces because it is inserted into memory, runs entirely from memory, and then removes itself from memory. So there aren’t any files or permanent changes to your computer that can be detected.

At the moment, I’d say the best way to determine if you may have been exposed is to search for lists of websites that are known to have been infected. If you have visited any of the infected sites—or, thinking like an attacker, a site similar in audience or content to an infected site—you have a higher chance of having been exposed than those who haven’t visited.

A non-tech way to think about this is to assume you just heard a local restaurant caused some customers to suffer from food poisoning, If you ate there during the same time period as the sickened people, you too could get food poisoning unlike somebody who never eats at the restaurant. And if the food poisoning was caused by a delivery of bad meat, any restaurant using the same meat supplier could spread the food poisoning too.

I dug around the iVerify site a little and found this:

All iVerify apps are able to detect live infections of DarkSword. We’re offering iVerify Basic for free until May so anyone can check their phones. For recent infections you can use the threat hunting feature in the app.

As the malware is not cleaning up Safari’s browser history or other WebKit related databases you can use MVT or other forensic tools to find the domains used in the initial compromise. The file based indicators are not backed up, so you can only check these on device or with a full filesystem dump.

ETA:

The iVerify Basic App, which is currently free to allow users to check for signs of compromise, is specifically designed to detect sophisticated attacks like Coruna by analyzing:

*system logs
*forensic artifacts
*suspicious network activity
*indicators of compromise (iVerify has the latest indicators for Coruna)

This deep-level analysis provides an immediate, non-intrusive way to scan your device for known Coruna infections, giving you the visibility traditional mobile defenses lack.

Thanks for testing the app. I gave it a try and got a similar result.

Agree about triggering sysdiagnose.

An alternative to ‘upgrading’ to 26 or going into Lockdown mode is to not use a browser at all on your phone. Yes, seriously. My phone retains all the other useful functions (FaceTime, iMessage, etc.) and I just do my browsing on a computer. Here’s the original post that inspired me to do this, seven years ago: https://medium.com/make-time/my-year-with-a-distraction-free-iphone-and-how-to-start-your-own-experiment-6ff74a0e7a50

I don’t consider an iPhone from 2022 old; my daily driver is an iPhone 11 Pro Max bought in 2019, still going strong with its original battery at 84%! I also happen to have an iPad mini 5, still working fine on its original battery.

Regarding upgrading to 26 on the iPhone, I held off quite a while before doing it, recently upgraded, and there’s nothing about it so far that I care for. I especially don’t like the whole liquid glass “feature” and even though I have most of the effects turned off (or lessened), I can’t believe they would spend time on creating THAT when there are so many other things that need improvement.

I feel really foolish asking this after being a Tidbit subscriber for years ….. I want to save this post until I have time to download it to my phone. Usually I just copy/paste a post into a new email to me. BUT I see the LINK icon. What does it link to? Is this a way to save a post?

There are several ways to do this:

image767×216 26.4 KB

If you click on the timestamp in the upper-right corner of a comment (red box), you’ll get a popup window to share the comment. There are buttons to share it over X, Facebook and e-mail. Or you can copy the shown text and paste that URL into something else (including a bookmark created by your browser).

The “links” button below a post (blue box) will copy that post’s URL to your clipboard, which you can then paste elsewhere.

You can also click the “bookmark” button below a post (green box), which will save it to your TidBITS Talk account’s bookmark list.

You can see all your bookmarks by clicking on your avatar icon in the upper-right corner and then click on the bookmark icon:

image374×385 19.9 KB

Which will take you to https://talk.tidbits.com/u/username/activity/bookmarks.

This thread and the announcement of iVerify’s app made me take a quick look at iVerify, the company.

iVerify is currently a small, venture capital-backed company. It might have been spun out of a company called Trail Of Bits. It is still early in its funding life; its $12 million Series A round was in 2024, with earlier, probably angel investor, rounds totalling about $4 million. Through 2025, it looks like the total amount it has raised from investors is around $30 million.

Now, based on the discussion in this thread, it appears that the iVerify app works by scanning logs and activity histories stored on iPhones, then sending a report to iVerify for analysis.

So, I’d say that anybody thinking of using the iVerify app should consider carefully how comfortable they feel about sending usage data from their phone to iVerify. In addition, sending personal data to startups and small companies, in contrast to large, well-established companies, has some unique risks. For example, it is unlikely Apple will go bankrupt and have all of its customer data sold to another company. Or that a data breach at Google would go unreported by major news outlets.

In addition to @Shamino s excellent reply, there are also nicely helpful Tooltips when hovering over the Pointer over various icons around posts, for example:

image446×134 4.92 KB

and when selecting a bit of the text and hovering there are also X and email options presented:

image782×168 24.9 KB

Aha!

According to the Apple spokeperson, iOS 18 users will also have a “manual” method to get the update. As of 8:30 am Pacific time, I do not yet see it on multiple devices tested, even when pulling-down to refresh the Software Update screen. (Note: My “Automatic Updates” settings are all off except for Security Responses & System Files).

The Apple Insider article below links to the alleged source article at Wired:

https://appleinsider.com/articles/26/04/01/users-staying-on-ios-18-will-get-a-patch-for-the-worst-iphone-attack-vector-weve-ever-seen

The spokesperson said “Wednesday morning” so there’s time yet.

iOS/iPadOS 18.7.7 appears to be live for devices currently running 18.

Just checked Software Update, scrolled to bottom and saw the option under “Also Available”. It shows your current iOS version below that. Tapping 18.7.7 brings up the full screen with the usual generic message and link to Apple Security Releases page, which does NOT show this specific release, only the original 18.7.7 update from March 24th. Ran update on iPhone 13 and it took around 8-10 minutes.

ios18.7.7upd-iphone13-main1125×2304 278 KB

Given the severity of the DarkSword exploit I put all my iPhones and iPads into Lockdown mode. It works but some websites have issues.

I have been patiently waiting/hoping that Apple would issue an update for those not yet using iOS 26. Very happy to see they have done this.

I feel some sympathy to those who upgraded to iOS 26 in the past few days – there is no way to go back to iOS 18.

iOS 18.7.7 is now available.

I’m delighted to hear the news!

Unfortunately, based on the seriousness of DarkSword, I “downgraded” my iPhone 13 mini to iOS 26.4 a little over a week ago, and I regret it.

I am getting accustomed to 26.4, but I find that iOS 18 was a much more polished experience.

I checked today several times and thought there was no update, because this is what I saw:

IMG_01661179×2556 326 KB

Notice there’s no scrollbar, and if you try to scroll by grabbing the iOS 26.4 update, it just scrolls that update’s way too long description.

What you’re supposed to notice is the mouseprint “ALSO AVAILAB” that’s obscured by the bottom grabber.

18.7.7 was available on my iPad Air 5 about noon, Pacific Standard Time, in Portland, OR. Upgrade done!

Unbelievable!

Thank you Apple and Happy 50th.

(Not visible on my iPhone 16 Pro right now in the UK but hopefully will be downloaded by morning.)

Yeah, I explicitly added “scroll down” to the instructions in my article since I experienced exactly the same thing on the iPhone SE.

I am one holding off on ‘upgrading’ to 26 but not being able to install security updates om my iPhone 12 and iPad Air 4 because Apple does not offer them. I have also started ignoring the badge on the settings app because of that. To me this security issue illustrates the stupidity of Apple’s policy in trying to force users to ‘upgrade’ their devices instead of offering them to choose. Also, not allowing a user to ‘ignore this update/upgrade’ and removing the badge does not help.

Apparently Apple has come to wisdom and now does offer 18.7.7 to users like me. I installed it immediately when I learned about it here. So despite Apple and thanks to TidBITS my devices are again protected from the latest threats

… Or maybe Apple didn’t want to wait for both releases to pass validation and security testing before releasing one, and they gave priority to version 26, releasing version 18 after it passed its testing.

Don’t assume an evil conspiracy if there’s a perfectly reasonable mundane explanation.

Apple hasn’t released a patch for iOS 15 (that latest my iPod can run). Does this make them evil? Or does it reflect the fact that there are so few users still on that platform that it’s not worth the engineering effort?

And if that had been the case, they could have, at the 26 security update release, told folks something like “we’re working on an security update for 18, but it’s hard and it’s taking us a bit, please bear with us”. That would have informed their valued customers of what’s going on and it would also have allowed folks who consciously wanted to stay on 18 to hold off updating to 26 just for this fix, as several here have reported feeling compelled to do.

But Apple made no such communication. Meanwhile what they did communicate was that they’re planning to burden their valued customers with ads in Maps.

This is not about being “evil”. It’s not a moral question. And it’s certainly not binary either. Around such a huge business and market there’s many facets.

What this instance does appear to be about, is the leadership to set priorities right. And we do know from much past experience that Apple indeed is receptive to public pressure and shaming, if intense enough. As somebody who wants Apple to get their priorities straight and always put user experience ahead of all other distractions (be it marketing or other), I’m all in favor of the media and loyal users being vocal when Apple is not displaying the right attitude. When folks speak up in places like here or the WSJ personal tech editor points out that Apple is screwing up, that is a good thing in my book.

In this case, a simple one-liner press releasee would have done the job and earned Apple a bunch of praise (recall, longevity and support of previous hardware/software are one of the key advantages of Apple’s products) instead of bad press and suspicions about ill intent.

That could be a (valid) explanation, but does not explain why Apple is withholding users that want to stay on 18 incremental updates. My devices were on 18.7.2 because Apple did not offer 18.7.3 or 18.7.4 as an also available update.

I’m not assuming any evil. Probably Apple management thinks it is doing users a favor by ‘allowing’ them to ‘upgrade’ to the latest and ‘greatest’. I think different Giving users the choice to do with their devices what they want is better for users I think.

Apple has done this every year. I believe that 18.7.7 is the first time they have provided a security update to phones with the ability to update to the new release after they’ve stopped providing those updates on all phones that can update to a newer version.

Your point that Apple shouldn’t do this is noted by me. But Apple’s general policy has been to stop providing these updates after about the X.2 update in about early December every year. If anyone didn’t notice this already, you know this now, and you can decide when you purchase your next phone or tablet to continue buying Apple devices, or switch to another platform that may be more willing to provide those updates.

This may be a one-time thing because of the poor reception to iOS 26 and what seems to be a rushed and not well tested change to this new Liquid Glass paradigm. Or maybe Apple has decided that not protecting users who stay on older releases from similar bugs was a bad decision in the past and this will be a new policy. Apple hasn’t said anything at all about this either way.

There’s a nice summary of what DarkSword means from JAMF:

Conclusion

The DarkSword leak teaches us three critical lessons about the state of mobile threats. First, government-grade exploit capabilities are no longer confined to sophisticated operators — the availability of production-ready source code with detailed debug output lowers the barrier for any skilled developer to replicate these attacks. Second, the ethical guardrails claimed by the commercial spyware industry are demonstrably hollow, as evidenced by a kit designed for cryptocurrency theft rather than law enforcement. Third, the industrial scale of engineering required to maintain such a kit — hundreds of device and firmware combinations, constant adaptation to new mitigations — shows both the level of investment behind these threats and the pressure points where defensive improvements by Apple are forcing costly responses from attackers.

Organizations should ensure that devices are consistently updated, actively monitored and protected against such threats, regardless of the user’s role. The era in which only high-profile targets need to worry about nation-state-level exploits is over.