Nexus owners are about to get a surprise OTA update, but it's not Android 5.0 Lemon Drop Sunshine. It's another build of KitKat, specifically 4.4.4 with build number KTU84P (branch kitkat-mr2.1-release). Sprint has posted the Nexus 5 changelog on its community forums, and it's apparently a security fix.

Our first suspicion was Towelroot, but it looks like 4.4.4 is mainly fixing something else. According to a Googler, the security fix in question is related to CVE-2014-0224, which is an OpenSSL bug allowing a man-in-the-middle attack. It's actually a fairly serious bug, and distinct from Heartbleed (fixed in 4.4.3). There are other tweaks, but we'll have to wait and see what the official word is. An AOSP push should show up soon and we can see what was addressed. Update: We've confirmed Towelroot is not affected by 4.4.4.

The Nexus 5 seems to be the only device with an OTA on the books, but 4.4.4 binaries and images for Nexus devices are already live on Google's site. You can expect the OTAs to begin flowing soon, or just flash the factory image (instructions on doing so) if you're impatient.

[Sprint, Nexus Images, Nexus Binaries]