A streaming box should not need a threat model. Neither should a username field, a demo repo, a reset flow, or a browser permission prompt. That is the irritating part this week: the risky pieces were ordinary.

Home devices became a routing cover. Clean code pulled dirt from a dependency. Identity shortcuts aged badly. AI systems trusted the wrong instructions. Same soft spot throughout: trust placed one layer too early.

Below is the full recap, since this is apparently what counted as a normal week.

NetNut Residential Proxy Network Disrupted — Google, in collaboration with the U.S. Federal Bureau of Investigation (FBI), Lumen, and other partners, took action against the NetNut residential proxy network, also known as Popa, building upon its takedown of IPIDEA in January 2026. Google said it disabled Google accounts and associated Google services used by NetNut for malware command-and-control (C2) and updated Google Play Protect, in addition to disabling applications known to incorporate NetNut SDKs. The size of the network is estimated to be at least 2 million devices globally. "NetNut populates its botnet by distributing SDKs for devices commonly found in homes, such as smart TVs and streaming boxes," Google said, adding it "identified NetNut botnet plugin components for large-scale botnets such as BADBOX 2.0." The end goal is to leverage the route traffic through these devices, allowing bad actors to mask malicious activity. The devices are pre-installed with malware before purchase or because users unknowingly download applications containing hidden proxy code.