New command amid mounting cyber risks.

Rudd takes the helm at NSA and Cyber Command. A watchdog probes alleged Social Security data mishandling. Patch Tuesday lands. Governments brace for cyber fallout from Iran. BeatBanker spreads via a fake Starlink app. InstallFix targets developers. ZombieZIP hides malware in archives. And DHS reassigns CBP officials in a FOIA secrecy dispute. Ben Yelin unpacks Anthropic’s lawsuit against the Pentagon. AI eyewear leads to awkward exposures.

Today is Wednesday March 11th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The Senate confirms Gen. Joshua Rudd to lead NSA and U.S. Cyber Command.

The Senate has confirmed Gen. Joshua Rudd to lead both the National Security Agency and U.S. Cyber Command, filling a critical national security role vacant since April.

Lawmakers approved Rudd in a 71 to 29 vote Tuesday. He becomes the first Senate-confirmed leader since President Donald Trump fired Gen. Timothy Haugh last April. Lt. Gen. William Hartman has served as acting chief since then and plans to retire after Rudd is sworn in. Trump nominated Rudd in December. Rudd previously served as deputy director of U.S. Indo-Pacific Command. He has decades of military experience, though none in cybersecurity leadership roles.

The confirmation drew criticism from Sen. Ron Wyden, who cited concerns about Rudd’s cyber experience and his understanding of National Security Agency surveillance authorities. Rudd told lawmakers he will continue evaluating the long-debated dual-hat structure and defended Section 702 of the Foreign Intelligence Surveillance Act, which expires in April.

Watchdog probes allegation that former DOGE employee attempted to remove Social Security data. 

The Social Security Administration’s inspector general is investigating a whistleblower complaint alleging a former U.S. DOGE Service engineer claimed access to highly sensitive citizen databases and intended to share the data with a private employer.

According to the complaint, the former employee allegedly told colleagues he possessed copies of two restricted Social Security databases, Numident and the Master Death File, which together contain records on more than 500 million living and deceased Americans. The records include Social Security numbers and other identifying information. The complaint alleges he stored at least one dataset on a thumb drive and sought help transferring it to a personal computer to “sanitize” before use at a contractor. The allegations do not claim the data was successfully transferred. The inspector general has notified Congress and shared the disclosure with the Government Accountability Office.

The claims raise concerns about potential mishandling of highly sensitive federal data. Agency officials and the former employee deny wrongdoing, and investigations are ongoing.

Patch Tuesday. 

Microsoft has released security updates addressing 83 vulnerabilities across its products as part of its March Patch Tuesday rollout.

None of the flaws are currently known to be exploited in the wild, though two vulnerabilities were publicly disclosed before patches were released. The update includes one critical bug, CVE-2026-21536, a remote code execution issue in the Devices Pricing Program that Microsoft says has already been mitigated. Other notable issues include privilege escalation flaws in Windows components and an Azure MCP Server Tools vulnerability that could allow attackers to capture a managed identity token by submitting crafted input. Additional Azure flaws affect Linux virtual machines and Azure IoT Explorer.

Privilege escalation bugs are often used after attackers gain initial access, making timely patching important even in quieter update cycles.

Adobe has released security updates addressing 80 vulnerabilities across eight products, including Adobe Commerce, Illustrator, Acrobat Reader, and Premiere Pro.

The largest set of fixes targets 19 flaws in Adobe Commerce and Magento Open Source, including several high-severity privilege escalation bugs and a security feature bypass. Adobe urged users to apply these patches within 30 days because the platforms are frequent targets for attackers. Additional updates address vulnerabilities that could lead to arbitrary code execution in Illustrator, Acrobat Reader, Premiere Pro, and other tools. Adobe says none of the flaws are currently known to be exploited.

Fortinet, Ivanti, and Intel have released security updates addressing dozens of vulnerabilities across enterprise and firmware products.

Fortinet patched 22 flaws affecting products including FortiWeb, FortiSwitchAXFixed, FortiManager, and FortiClientLinux. Several high-severity issues could allow remote attackers to bypass authentication limits or execute unauthorized commands, while a FortiClientLinux flaw could enable local privilege escalation to root. Ivanti fixed a high-severity privilege escalation bug in Desktop and Server Management prior to version 2026.1.1. Intel also disclosed nine vulnerabilities in UEFI firmware for certain reference platforms and issued updates affecting more than 45 processor models.

Major industrial technology vendors including Siemens, Schneider Electric, Mitsubishi Electric, and Moxa have released Patch Tuesday advisories addressing newly discovered vulnerabilities in industrial control system products.

Schneider Electric disclosed six issues, including high-severity flaws affecting EcoStruxure platforms that could enable command execution, arbitrary code execution, or system compromise. Siemens also published six advisories, including a critical stored cross-site scripting vulnerability in Simatic S7-1500 devices. Mitsubishi Electric reported a remotely exploitable denial-of-service flaw in several numerical control systems. Moxa issued four advisories, largely tied to vulnerabilities in Intel components.

State and local governments are urged to prepare for potential cyber fallout from the Iran conflict. 

State and local government officials are being urged to prepare for potential cyber and physical threats following U.S. and Israeli military strikes on Iran.

During a briefing hosted by the Center for Internet Security’s Multi-State Information Sharing and Analysis Center, officials warned that governments could face increased “low-level cyber activity,” including distributed denial-of-service attacks and website defacements. Threat intelligence leaders said politically motivated hacktivist groups aligned with Iran or Russia are forming coalitions that could expand targeting capabilities. Officials also warned that damage to regional infrastructure, including cloud data centers and shipping routes, could disrupt global technology supply chains and online services.

BeatBanker spreads Android malware posing as a Starlink app. 

Researchers have identified a new Android malware strain called BeatBanker that spreads through fake websites impersonating the Google Play Store and posing as a Starlink app.

According to Kaspersky, the malware combines banking trojan capabilities with cryptocurrency mining. It can steal credentials, manipulate cryptocurrency transactions, and mine Monero on infected devices. Recent variants also deploy the BTMOB remote access trojan, giving attackers full control of the device, including keylogging, screen recording, camera access, and GPS tracking. BeatBanker uses several evasion techniques, including delayed execution and a persistence method that continuously plays a near-silent audio file to keep the malware running.

“InstallFix” uses fake CLI install pages to trick users into running malware. 

Researchers are warning about a new social engineering tactic called “InstallFix” that tricks users into installing malware by posing as legitimate command-line tool installers.

According to Push Security, attackers create cloned installation pages for popular developer tools and replace legitimate setup commands with malicious ones. The technique targets users who copy and run “curl-to-bash” commands commonly used to install command-line interfaces. One observed campaign cloned the installation page for Anthropic’s Claude Code tool and promoted it through Google search ads. The malicious commands delivered Amatera Stealer malware, designed to steal credentials, browser data, and cryptocurrency wallet information.

The attack exploits common developer workflows and trusted installation practices, making malicious commands harder for users to detect.

ZombieZIP conceals malicious payloads inside compressed archives. 

Researchers have disclosed a new evasion technique called “Zombie ZIP” that can conceal malicious payloads inside compressed archives while bypassing many security scanners.

The method manipulates ZIP file headers so security tools treat compressed data as uncompressed. According to Bombadil Systems researcher Chris Aziz, many antivirus engines trust the ZIP header’s compression method field and scan the archive incorrectly, seeing only compressed noise rather than the actual payload. Standard extraction tools such as WinRAR and 7-Zip typically fail to unpack the files, showing errors or corrupted data. A custom loader that ignores the header, however, can correctly decompress the hidden payload. CERT Coordination Center has issued a warning and assigned the issue CVE-2026-0866.

DHS reassigns CBP officials after objections to a FOIA secrecy policy. 

The Department of Homeland Security reassigned several career Customs and Border Protection officials after they objected to orders to restrict the release of surveillance records under the Freedom of Information Act.

According to reporting reviewed by WIRED, DHS directed staff to label Privacy Threshold Analyses, compliance forms describing how government technologies collect personal data, as “drafts” and legally privileged documents. Sources say the move followed the public release of a redacted assessment describing Mobile Fortify, a facial recognition application used by CBP. The reassigned officials included the agency’s top privacy officer, a privacy branch chief, and the director of the FOIA office. Critics argue the policy could allow the department to withhold records detailing surveillance tools and privacy impacts.

Restricting access to these documents could limit public oversight of government surveillance technologies.

 

 

 

AI eyewear leads to awkward exposures. 

Meta’s AI smart glasses promised hands-free insight into the world around you. Some users now suspect the world, unfortunately, was looking back.

A new class action lawsuit alleges Meta misled customers about privacy protections after reporting found contractors at a Kenya-based subcontractor reviewing footage captured by the glasses. According to the complaint, that footage sometimes included extremely private moments, including nudity and other intimate situations. The plaintiffs argue Meta’s marketing, which described the glasses as “built for your privacy” and “controlled by you,” did not make it clear that shared content could be reviewed by human moderators. Meta says human review may occur when users choose to share media with Meta AI, which the company says helps improve the service.

The case underscores a growing reality of AI products: sometimes “smart” devices still rely on very human eyes.

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.