Three distinct intelligence items this week converge on the npm package ecosystem and open source AI dependency chains as the primary attack surface: the Shai-Hulud CI/CD worm (Unit 42), the JINX-0164 @velora-dex/sdk supply chain compromise targeting macOS developers and crypto firms, and a reported critical vulnerability in an unconfirmed open source AI agent package affecting millions of servers. No CVE IDs have been assigned to these items; the threat is active and not patchable through traditional vendor patching cycles.