FBI seizes NetNut proxy platform tied to 2M-device Popa botnet

Quiet holiday week, but the kernel mailing list and the FBI both had eventful Wednesdays.

// SECURITY FOCUS

FBI seizes NetNut proxy platform tied to 2M-device Popa botnet

NetNut is a commercially sold residential proxy service from a NASDAQ-listed company, not a shady underground operation – which means some of those 2M compromised devices are in enterprise networks whose owners bought “legitimate” proxy access without knowing it rode on a botnet. If your threat intel feeds flagged NetNut IPs as benign commercial proxies, that classification needs revisiting now that the domains are seized.

What to do: Pull your firewall and proxy logs for NetNut-associated CIDR ranges this week and check whether any internal hosts were communicating with them.

  1. Two LLM-assisted kernel patch sets get very different receptions from mm developers — LWN.net · Jul 2
    Established mm developers submitting LLM-assisted patches are getting real review; unknown contributors using the same tools are getting noise-filtered. The split tells you more about how the kernel will actually gate AI contributions than any policy statement has.
  2. Etcd v3.5.32 and v3.6.13 fix a websocket auth bug alongside dependency CVEs — etcd · Jul 1
    SIG-etcd released v3.5.32 and v3.6.13, patching dependency CVEs and fixing a websocket auth bug where bearer-prefixed tokens caused authenticated requests to be rejected. Both releases move to Go 1.25.11 and bump go.opentelemetry.io/otel to v1.43.0 to address CVE-2026-29181 and CVE-2026-39883; v3.6.13 also bumps golang.org/x/crypto to v0.52.0. The new write-only-skip-check value for –v2-deprecation is the headline operational change – it lets operators upgrading from v3.5 to v3.6 bypass the startup check that blocks boot when non-membership v2 data remains, buying time before write-only-drop-data becomes the default in v3.7. Exploitability of the patched CVEs in etcd is unknown, but the release notes recommend applying at next maintenance window regardless. v3.4 is now end-of-life and won’t receive further patches.
  3. Trail of Bits: GPT-5.5-Cyber built a zlib fuzzing lab and found real bugs in one day — Trail of Bits · Jul 2
    Trail of Bits pointed GPT-5.5-Cyber at zlib as part of its OpenAI-backed “Patch the Planet” initiative and watched the model autonomously build a full fuzzing campaign in a single day – harnesses across a dozen entrypoints including inflate, inflateBack, uncompress2, MiniZip, puff, and several contrib stream wrappers, plus ASan/UBSan builds, seed corpora repurposed from existing edge-case tests, and compile-time variant builds to reach code hidden in non-default configurations. The model skipped static review on its own judgment, correctly calling it a poor return on tokens for a codebase as reviewed as zlib, then built out the campaign incrementally without hand-holding. Several findings are currently under coordinated disclosure; details drop once patches and a new release land. The operational implication is blunt: setting up a bespoke fuzzing campaign used to require weeks of skilled researcher time, which kept casual attackers out – that barrier is now largely gone. The defensive response Trail of Bits recommends is to run the same tooling first, with strict validity rules that filter agent noise into actionable signal, before a less careful operator does it against you.
  4. Fedora 45 proposal: enable x86_64 shadow stack by default — Phoronix · Jul 2
    Fedora 45 is proposing to enable x86_64 Shadow Stack protection by default, activating hardware-enforced ROP attack mitigation for any process where the binary and all shared library dependencies are built with Shadow Stack support. The groundwork is already mostly done – Fedora has compiled packages with -fcf-protection since 2018, so the majority of binaries already carry the required markup and will gain protection transparently. The one new failure mode to watch for: if a Shadow Stack-enabled process calls dlopen on a non-compliant shared object at runtime, it gets a hard dlopen error rather than silently running unprotected – so third-party or legacy .so files that haven’t been rebuilt could break dynamic loading. Performance cost is reported as negligible. This covers Shadow Stack only; Indirect Branch Tracking (IBT) for full CET coverage is a separate effort planned for a later release.
  5. Amazon EKS now supports Kubernetes version rollbacks within 7 days of upgrade — AWS News Blog · Jul 1
    Amazon EKS now lets you roll back a Kubernetes control plane upgrade within 7 days of completing it – a capability vanilla Kubernetes doesn’t offer at all. The rollback returns the cluster to its actual previous production version, not an emulated state, and supports one minor version at a time (e.g. 1.35 back to 1.34). Pre-rollback cluster insights flag node version mismatches and add-on dependency issues before you proceed; a –force flag skips those checks if you’ve already assessed the situation. For EKS Auto Mode clusters, nodes roll back alongside the control plane while respecting pod disruption budgets, and a cancel API lets you abort midway if the process is taking too long. Control plane rollback took roughly 20 minutes in AWS’s own testing. The feature is available in all commercial EKS regions at no extra charge – you pay only standard EKS and compute costs. For teams managing many clusters in regulated environments who’ve been delaying upgrades out of fear of getting stuck, this removes the main operational blocker.

// In other news

ai

cloud

culture

  • How Kent Beck shapes the software engineering industry (Pragmatic Engineer) · Jul 1 — Kent Beck on why TDD and XP principles hold up in the AI coding era, and where he thinks trust-building between engineers matters more than throughput metrics.
  • Why your AI bill is bigger than it should be (LeadDev) · Jul 1 — Token hygiene – trimming context windows, caching repeated prompts, and right-sizing models per task – is becoming a first-class engineering cost control discipline as AI spend scales.

dev

  • Announcing Rust 1.96.1 (Rust Blog) · Jun 30 — Rust 1.96.1 is a point release addressing regressions introduced in 1.96.0 – if you’ve hit unexpected compiler behavior since upgrading, this is the fix.

iac

  • How to Test Infrastructure as Code (Pulumi Blog) · Jun 30 — Pulumi’s guide to IaC testing covers unit, integration, and property-based tests with concrete code examples – applies to Pulumi but the taxonomy maps cleanly to Terraform testing patterns too.
  • HCP Terraform Powered by Infragraph Limited Availability Launch (HashiCorp Blog) · Jun 30 — HCP Terraform’s Infragraph feature (limited availability) builds a dependency graph across your full cloud estate to surface drift and unmanaged resources in multi-cloud setups.

k8s

  • Understanding dynamic resource allocation in Kubernetes (CNCF Blog) · Jul 1 — Kubernetes DRA hit GA in v1.35 and NVIDIA has moved its GPU driver into the new framework – this post explains the actual request/claim model with examples covering GPU sharing scenarios.
  • Blog: Announcing Flux 2.9 GA (Flux CD) · Jun 30 — Flux 2.9 GA ships with improvements to OCI artifact handling and controller performance – check the changelog if you’re running Flux in high-throughput reconciliation environments.
  • Support for Istio 1.28 has ended (Istio) · Jul 1 — Istio 1.28 is now end-of-life with no further security backports – clusters still on 1.28 need to upgrade to a supported minor version now.
  • (re)introducing kpt: Your toolchain for infrastructure automation (CNCF Blog) · Jul 2 — kpt re-emerges as a CNCF-backed Kubernetes config automation tool focused on in-place, Git-native package mutation – worth evaluating if Helm’s templating model frustrates you.

linux

obs

sec

web

Enjoy the long weekend if you’ve got one. Back Monday.

Leave a comment