Isn’t there some claim events come in threes? After the extremely rare leak of the iOS Coruna exploit chain recently, now we have details from Google on a second significant exploit in the wild, dubbed Darksword.
Like Coruna, Darksword appears to have followed the path of government security contractors, to different government actors, to crypto stealer. It appears to focus on exploits already fixed in modern iOS releases, with most affecting iOS 18 and all patched by iOS 26.3.
Going from almost no public examples of modern iOS exploits to two in as many weeks is wild, so if mobile device security is of interest, be sure to check out the Google write-up.
Another FBI Router Warning
The second too early to be retro – but too important to ignore – repeat security item is a second alert by the FBI cautioning about end-of-life consumer network hardware under active exploitation, with the FBI tracking almost 400,000 device infections so far.
Like the warning two weeks ago, the FBI calls out a handful of consumer routers – but this time they’re devices that may actually still be service in some of our homes (or our less cutting edge friends and family), calling out devices from Netgear, TP-Link, D-Link, and Zyxel:
- Netgear DGN2200v4 and AC1900 R700
- TP-Link Archer C20, TL-WR840N, TL-WR849N, and WR841N
- D-Link DIR-818LW, 850L, and 860L
- Zyxel EMG6726-B10A, VMG1312-B10D, VMG1312-T20B, VMG3925-B10A, VMG3925-B10C, VMG4825-B10A, VMG4927-B50A, VMG8825-T50K
While many of these devices are over ten years old, they still support modern networking – some of them even supporting 802.11ac (also called Wi-Fi 5). Unfortunately, since support has been ended by the manufacturers, publicly disclosed vulnerabilities have not been patched (and now never will be, officially)
Once infected, the routers are enrolled in the AVRecon malware network, which includes the now-typical suite of behavior of remote control, remote VPN access to the internal and external networks, DNS hijacking, and DDoS (distributed denial of service) attacks. This sort of network malware is used by attackers to exploit internal systems like un-patched Windows or IOT devices on the local network, and as a launching point to hide behavior as coming from a certain country or state by using the public Internet connection as a VPN. It’s also often monetized by unscrupulous apps selling cheap VPN service.
The worst type of vulnerability affecting home routers is one which can be triggered remotely from the Internet without user interaction – for instance CVE-2024-12988 which allows arbitrary code execution remotely on Netgear devices, but even vulnerabilities which are only accessible from the local network can be combined with cross-site vulnerabilities or vulnerabilities in other devices to exploit home routers. A malware infection on a Windows system can be leveraged to install additional, permanent malware installs on routers and IOT devices, and malware on a router can be used to redirect the user to install more malware on an internal PC via manipulating the network, or allow direct attack of internal systems via a proxy.
A slight upside is that this batch of vulnerable hardware is often modern enough to run OpenWRT or other replacement firmware. OpenWRT supports thousands of routers and access points – and often forms the basis of the commercial firmware the device was shipped with, before the manufacturer abandoned it. Converting a device to OpenWRT may be intimidating for some, but for anyone with one of the listed devices, the time to try is now! It’s cheaper than buying a new device, and worst case scenario, you’d have to replace that router anyway!
You can use the OpenWRT Table of Hardware to see if there is a version for your device.
Unfortunately, vulnerabilities in home routers don’t offer many lessons: there’s rarely a need to log into them to see if there is a pending update, and almost nothing the typical home user can do except buy a new device when the manufacturer stops supplying security fixes.
Trivy Compromised
The Trivy security scanner suffered a breach themselves, leading to a cascading series of breaches of other tools. Trivy is an automatic vulnerability scanner for finding vulnerabilities is the dependencies of Docker and other container images, package repositories, and language packages in Go, PHP, Python, Node, and many other popular languages. Trivy is often integrated into the CI/CD (continual integration and continual deployment) process of other open and closed source projects and internal company processes.
According to the timeline published by Aqua, in late February 2026 a misconfigured GitHub workflow allowed the theft of authentication tokens for the Trivy project. While the attack was detected and the credentials removed, not all credentials were properly removed, which allowed the attackers to complete the attack on March 19, 2026.
Once compromised, all but one release of the Trivy GitHub actions were replaced with trojaned malicious copies, spreading the compromise to any project which used the Trivy GitHub actions, spreading the malware payload to many projects using the Trivy scanner actions.
GitHub actions are part of GitHub which allows scripts when repository actions like a pull request or merge are performed. Actions can be used to check that a change compiles properly, scan for security issues, generate documentation, or generate release binaries, and typically are allowed to make changes to the repository itself. GitHub workflows can include actions from other repositories via the Action Marketplace. By replacing the Trivy actions, the attackers essentially gained access to every repository using Trivy to scan for vulnerabilities in their own codebases.
The hijacked Trivy actions collected and exfiltrated access tokens for Docker, Google Cloud, Azure, and AWS, Git credentials, SSH keys, and any other secrets from projects using the Trivy actions. With these keys, the controllers of the original malware are able to attack those projects directly, such as the immensely popular LiteLLM Python interface to AI LLM models from multiple companies.
The compromise of LiteLLM also stole credentials to cloud services, SSH, git, Docker, and Kubernetes on any system that ran the trojaned setup scripts, as well as infecting any connected Kubernetes systems found in the configurations.
There are also reports that the malware actors are also infecting NPM node packages with malware which automatically updates itself from a block-chain based control system and steals NPM authentication tokens to inject itself into any NPM packages the victim may have authored.
Supply-chain attacks happening for years with varying levels of success. But the Trivy attack may be the most successful in spreading compromised packages into multiple package repositories. It’s difficult to avoid supply chain attacks, especially when the vulnerability scanner itself is the source of the problem. GitHub has introduced immutable releases – tagged build versions which can not be updated once released, and the immutable release of Trivy was the only version not compromised by the attackers. As more packages shift to immutable versions it may become harder to insert malware into the supply, but we’re nowhere near a tipping point of projects using immutable releases yet.
Other security news:
Don’t let iphones update to iOS 26.4
https://reclaimthenet.org/apple-forces-uk-iphone-age-checks-in-ios-26-4
Apple has distributed an update that forces ID verification to be able to use your own device which yopu paid for with your hard earned money.
The best choice is probably to switch to GrapheneOS, but is is very limited on what hardware it will run upon.
Wut?!?! “Guys don’t update iOS, instead use Graphene which can’t even work on Iphones”
Great advice.
“Forces it to be able”
Wow, much force.
This is much smoke and little fire, especially compared to real attack on phones.
And I’d much prefer to trust Apple with my ID than any other big company. And especially more than the types of company which might require these age checks.
If you love Apple so much why don’t you marry it.
“… like un-patched Windows or IOT devices on the local network…” This is one of the reasons I have a separate network for home automation devices, that can’t reach the internet. Isolation is good policy. It is the same at work. There is the internet facing network for business side, and the internal network for energy management systems. Plus Windows free (which doesn’t mean one can relax when it comes to security).
yeah i’m not exactly smug about it, and i don’t have a strong isolation like you’re suggesting, but i think how you think about internal vs external networks is key just like you’re saying…
i don’t have a password on my wifi, and i design all my network policies around the assumption that the call is coming from inside the house. if someone compromised my wireless AP, my ethernet switch, or even my fiber modem, they’d still be ‘outside my perimeter’ from my perspective. they’d be able to get to the ip camera that i use to monitor my rodent population tho
An easier interface for finding supported OpenWrt devices is to use https://firmware-selector.openwrt.org It gives little detail, but it does have links back to the ToH if you need that.
Unfortunately only a couple of the routers listed are supported by OpenWrt. None of the ZyXEL devices are supported, only one of the D-Link devices and none of the Netgear devices. It appears that all the TP-Link devices are supported, but that may depend on actual version of the device.
I’d say just upgrade to a new router if one actually cares about security. Not rocket science here. After all 10 years is ‘old’ in computer hardware years…..
They just hacked the private e-mail of the FBI director.
So, why waste money pretending you are secure?
And if a router is old enough it won’t be affected by the malware that is now targeting more recent routers, so perhaps you should get the oldest one you can find so that all the malware for it was retired as are the servers that were hosting it. Plus they will assume you are a poor slob, with slow internet, not worth targeting :)
“They just hacked the private e-mail of the FBI director.
So, why waste money pretending you are secure?”
InfoSec 101: Not being a boob who opens phishing e-mails…priceless.
Read all about in on WikiLeaks under “Podesta”, Echelon, ThinThread, Utah Data Center.
Trivy hot tub has the poopy in it
What os this Coruna thing? Does this mean we can get a public jailbreak going?
Too many of these right now.
The quantity alone is an out of place pattern. An outlier in the flood. Maybe paranoia, likely my patternmatch skills making false connections. But in general as a sysop/devop, Outliers always make me uncomfortable. In my controlled systems they would trigger a ticket and deeper investigations, even if founded on mistakes of thought.
Nothing can be done by the little poeple of course, and likely they are innocent finds resultant from heightened nation-state security, but the timing still makes my spidy-senses tingle.
I would sanitize these: “…retro – but… – re…” to avoid thoughts of LLMs (can’t remember what they’re called, but llms use them pretty often in place of hyphens. There have been articles, and there was a whole comments-section discussion here about it.
At least one of these is not just a router but a VDSL2 modem + wifi router. I noticed because I have it. There was an option to disable remote management from WAN and it was set that way by default. It would help if that could be made clear that this is actually the only vulnerable path. It seems that way from reading the FBI notice but perhaps there are exceptions.