This pack covers four intelligence items dominated by two converging attack patterns: software supply chain compromise targeting CI/CD pipelines and Node.js ecosystems, and opportunistic exploitation of internet-exposed infrastructure including IoT devices and management interfaces. Two items carry critical CVSS scores (9.5 and 9.8) with active exploitation confirmed or reported, and a public proof-of-concept is available for the protobuf.js RCE, requiring immediate triage of Node.js service inventories. Organizations should prioritize emergency containment of Nginx UI exposure, protobuf.js patching, and CI/CD pipeline hardening concurrently.