Big security scares hit right now: Google and Apple rushed out emergency updates after a zero-day attack that affected an unknown number of users.
On December 12, 2025, Google quietly rolled out patches for several Chrome flaws, noting that one flaw was being actively exploited before a fix could be issued. In an unusual move, Google initially offered sparse details, then later added that the bug was identified by collaboration between Apple’s security team and Google’s Threat Analysis Group — a team that tracks government-backed hackers and mercenary spyware makers. This collaboration suggests the intrusion campaign could have involved government-sponsored actors.
Simultaneously, Apple pushed security updates across its broad ecosystem, including iPhones, iPads, Macs, Vision Pro, Apple TV, Apple Watches, and Safari. Apple’s advisory for iPhone and iPad stated that the company addressed two bugs it knew might have been exploited in a highly sophisticated attack aimed at specific targeted individuals using devices that predated iOS 26. This phrasing is Apple’s way of confirming that certain users were targeted with zero-day exploits, flaws unknown to the software makers at the time of exploitation.
In many zero-day incidents, attackers leverage sophisticated tools and spyware developed by firms such as NSO Group or Paragon Solutions to pursue journalists, dissidents, and human rights activists. Both Apple and Google did not immediately respond to requests for comment.
This update underscores how rapidly major tech companies mobilize to defend users when new vulnerabilities are discovered, and it highlights ongoing tensions between security, surveillance, and the protection of vulnerable communities online.
If you’re curious about how zero-days work, how government-backed hackers operate, or what steps you can take to reduce risk on your devices, read on or ask questions in the comments. Do you think these kinds of coordinated, cross-company responses are enough, or is there more the industry should be doing to safeguard at-risk users?
Author note: Lorenzo Franceschi-Bicchierai covers hacking, cybersecurity, surveillance, and privacy for TechCrunch. You can reach him at lorenzo@techcrunch.com or via secure channels described in his bio.
