Google and Apple roll out emergency security updates after zero-day attacks

Apple and Google have pushed out a series of urgent software updates in response to a hacking campaign that targeted an undisclosed number of users across their platforms.

On Wednesday, Google issued patches for several security vulnerabilities in its Chrome browser, noting that one of the flaws had already been exploited by attackers before the fix was released.
In an unusual move, Google initially withheld additional details.

However, on Friday, the company updated its advisory to reveal that the zero-day bug was discovered jointly by Apple’s security engineering team and Google’s Threat Analysis Group — the unit known for tracking state-sponsored hackers and mercenary spyware developers. The involvement of these teams suggests government-linked threat actors may have carried out the attacks.

At the same time, Apple released a broad set of security updates across nearly all major products, including iPhones, iPads, Macs, Vision Pro, Apple Watch, Apple TV, and Safari.

According to Apple’s security advisory for iOS and iPadOS, the company patched two vulnerabilities. It confirmed it was aware that “that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals” who were running versions of the software before iOS 26.

This phrasing is Apple’s standard way of indicating that the company has evidence of real-world exploitation involving zero-day vulnerabilities — flaws unknown to the vendor at the time attackers use them. Historically, such cases often involve government-backed hacking campaigns that deploy spyware from firms such as NSO Group or Paragon Solutions, typically targeting journalists, dissidents, and human rights defenders.

Apple and Google did not immediately respond to requests for comment.